Search network traffic with ngrep | tutorial

Ngrep

ngrep or network grep is a command line utility that can be used to search network packets for a given regex pattern or string. ngrep uses the pcap library to capture network packets and gnu regex library to perform regex searches. ngrep is like tcpdump + grep.

Project Url
http://ngrep.sourceforge.net/

Install ngrep on Ubuntu

$ sudo apt-get install ngrep

Ngrep on windows

The windows version can be downloaded from the following url
http://ngrep.sourceforge.net/download.html

Windows version uses Winpcap packet capture library. So make sure to first download and install winpcap before using ngrep.

Examples

Ubuntu Linux

1. Search network traffic for string "User-Agent: "

$ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
interface: eth0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp and port 80 )
match: User-Agent: 
########
T 192.168.1.33:58371 -> 74.125.235.63:80 [AP]
  GET / HTTP/1.1..Host: www.google.co.in..Connection: keep-alive..Cache-Control: max-age=0..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..User-Agent: Mozilla/5.0
   (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31..X-Chrome-Variations: CMi1yQEIlLbJAQiftskBCKO2yQEIqLbJAQi0tskBCPaDygE=..Accept-Encoding: gzi
  p,deflate,sdch..Accept-Language: en-US,en;q=0.8..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3..Cookie: NID=67=O0YNQ7TW_JNSxrXy4zIF70QPEJtgAEz4NdFtvJ8AEtVx0t7Gt5AP1nzq-t4LFMppFh9ssigmm-
  CATkSb-rwRsDUyPojbdxZ4V6WnCJE8kEBAM756ewF4xRUoa9G1Wp8t; PREF=ID=301b64152c5d8dc2:U=cb788f63c4416030:FF=0:TM=1367511806:LM=1367511829:S=zDKl6lAfpbjldu6A....                               
##################################################

In the above command :
a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
b) The d option specifies the interface to sniff. eth0 in this case.
c) "User-Agent: " is the string to search for. All packets that have that string are displayed.

2. Search network packets for GET or POST requests :

$ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
interface: eth0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp and port 80 )
match: ^GET |^POST 

T 192.168.1.2:46531 -> 74.125.71.104:80 [AP]
  GET / HTTP/1.1..Host: google.com..Connection: keep-alive..User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 
  (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
  q=0.8..Accept-Encoding: gzip,deflate,sdch..Accept-Language: en-US,en;q=0.8..Accept-Charset: UTF-8,*;q=0.5..Cookie: PREF=
  ID=e5f4da8b92ac53ac:U=1647e37bd843d248:FF=0:TM=1307518148:LM=1307525364:GM=1:S=JFGOzz6deuNpC4qb; NID=52=VzByOWb324VDm5AU....                                                                                                          

T 192.168.1.2:53972 -> 74.125.71.103:80 [AP]
  GET / HTTP/1.1..Host: www.google.com..Connection: keep-alive..User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/53
  5.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
  */*;q=0.8..Accept-Encoding: gzip,deflate,sdch..Accept-Language: en-US,en;q=0.8..Accept-Charset: UTF-8,*;q=0.5...






The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).

3. ngrep without any options would simply capture all packets.

$ sudo ngrep

On Windows

Ngrep works on windows the same way as linux/ubuntu.

E:\ngrep>ngrep -l -q "User-Agent: " tcp and port 80
interface: \ (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp and port 80 )
match: User-Agent:

T 192.168.1.6:1075 -> 118.214.190.56:80 [AP]
  GET /pub/adobe/reader/win/9.x/9.4.0/en_US/AdbeRdr940_en_US.msi HTTP/1.1..Ac
  cept: */*..Accept-Encoding: identity..Range: bytes=2618095-2630135..User-Ag
  ent: Microsoft BITS/6.7..Host: armdl.adobe.com..Connection: Keep-Alive....
E:\ngrep>ngrep -l -q "^GET |^POST " tcp and port 80
interface: \ (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp and port 80 )
match: ^GET |^POST

T 192.168.1.6:1207 -> 64.131.72.23:80 [AP]
  POST /blog/wp-admin/admin-ajax.php HTTP/1.1..Host: www.binarytides.com..Con
  nection: keep-alive..Content-Length: 7256..Origin: http://www.binarytides.c
  om..X-Requested-With: XMLHttpRequest..User-Agent: Mozilla/5.0 (Windows NT 5
  .1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1.
  .Content-Type: application/x-www-form-urlencoded..Accept: */*..Referer: htt
  p://www.binarytides.com/blog/wp-admin/post.php?post=800&action=edit..Accept
  -Encoding: gzip,deflate,sdch..Accept-Language: en-US,en;q=0.8..Accept-Chars
  et: ISO-8859-1,utf-8;q=0.7,*;q=0.3......

The above examples used simple text strings as the serch term. However ngrep supports regex patterns as well. Try them out.

When used with arp spoofing tools like ettercap, ngrep can be used to sniff the data of other hosts connected to the network.

Last Updated On : 19th May 2013

Subscribe to get updates delivered to your inbox

Leave a comment