Ngrep

Last updated
ngrep
Developer(s) Jordan Ritter
Stable release
1.47 [1] / 7 September 2017;5 years ago (7 September 2017)
Repository
Written in C
Operating system Linux, Solaris, illumos FreeBSD, NetBSD, OpenBSD, Mac OS X, additional *NIX systems, Windows
Type Packet analyzer
License BSD-style [2]
Website https://github.com/jpr5/ngrep [3]

ngrep (network grep) is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

Contents

ngrep supports Berkeley Packet Filter (BPF) logic to select network sources or destinations or protocols, and also allows matching patterns or regular expressions in the data payload of packets using GNU grep syntax, showing packet data in a human-friendly way.

ngrep is an open source application, and the source code is available to download from the ngrep site on GitHub. It can be compiled and ported to multiple platforms, it works in many UNIX-like operating systems: Linux, Solaris, illumos, BSD, AIX, and also works on Microsoft Windows. [4]

Functionality

ngrep is similar to tcpdump, but it has the ability to look for a regular expression in the payload of the packet, and show the matching packets on a screen or console. It allows users to see all unencrypted traffic being passed over the network, by putting the network interface into promiscuous mode.

ngrep with an appropriate BPF filter syntax, can be used to debug plain text protocols interactions like HTTP, SMTP, FTP, DNS, among others, or to search for a specific string or pattern, using a grep regular expression syntax. [5] [6]

ngrep also can be used to capture traffic on the wire and store pcap dump files, or to read files generated by other sniffer applications like tcpdump or wireshark.

ngrep has various options or command line arguments. The ngrep man page in UNIX-like operating systems show a list of available options.

Using ngrep

In these examples, it is assumed that eth0 is the used network interface.

ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80
ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80
ngrep -l -q -d eth0 -i "" udp and port 53

Security

Capturing raw network traffic from an interface requires special privileges or superuser privileges on some platforms, especially on Unix-like systems. ngrep default behavior is to drop privileges in those platforms, running under a specific unprivileged user.

Like tcpdump, it is also possible to use ngrep for the specific purpose of intercepting and displaying the communications of another user or computer, or an entire network.

A privileged user running ngrep in a server or workstation connected to a device configured with port mirroring on a switch, router, or gateway, or connected to any other device used for network traffic capture on a LAN, MAN, or WAN, can watch all unencrypted information related to login ID's, passwords, or URLs and content of websites being viewed in that network.

Supported protocols

See also

Related Research Articles

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.

aMule

aMule is a free peer-to-peer file sharing utility that works with the eDonkey network and the Kad network, offering similar features to eMule and adding others such as GeoIP. On August 18, 2003 it was forked from the xMule source code, which itself is a fork of the lMule project, which was the first attempt to bring the eMule client to Linux. These projects were discontinued and aMule is the resulting project, though aMule has less and less resemblance to the client that sired it.

netstat Command line network statistics tool

In computing, netstat is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics. It is available on Unix, Plan 9, Inferno, and Unix-like operating systems including macOS, Linux, Solaris and BSD. It is also available on IBM OS/2 and on Microsoft Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

<span class="mw-page-title-main">Ettercap (software)</span> Network traffic analysis and interception software

Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its original developers later founded Hacking Team.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

<span class="mw-page-title-main">Wireshark</span> Network traffic analyzer

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

Packet injection in computer networking, is the process of interfering with an established network connection by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

<span class="mw-page-title-main">EtherApe</span> Network traffic monitoring tool

EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License.

Bit-Twist is a libpcap-based packet generator and packet capture file modifier and replayer. It complements tcpdump, a packet capturing tool also built upon the packet capturing engine libpcap. Bit-Twist allows you to regenerate packets from one or more pcap files. It also comes with a comprehensive pcap file editor to allow advance manipulation of packet information, e.g. fields in Ethernet, ARP, IP, ICMP, TCP, and UDP headers, prior to regenerating the packets onto the network.

Justniffer is a TCP packet sniffer. It can log network traffic in a 'standard' or in a customized way. It can also log response times, useful for tracking network services performances . The output format of the traffic can be easily customized. An example written in Python stores the transferred contents in an output directory separated by domains. This means that the transferred files like html, css, javascript, images, sounds, etc. can be saved to a directory.

netsniff-ng Linux networking toolkit

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets, so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg . libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer.

<span class="mw-page-title-main">Packet Sender</span>

Packet Sender is an open source utility to allow sending and receiving TCP and UDP packets. It also supports TCP connections using SSL, intense traffic generation, HTTP(S) GET/POST requests, and panel generation. It is available for Windows, Mac, and Linux. It is licensed GNU General Public License v2 and is free software. Packet Sender's web site says "It's designed to be very easy to use while still providing enough features for power users to do what they need.".

PCAP-over-IP is a method for transmitting captured network traffic through a TCP connection. The captured network traffic is transferred over TCP as a PCAP file in order to preserve relevant metadata about the packets, such as timestamps.

References

  1. "Release V1_47" . Retrieved 18 February 2018.
  2. LICENSE.txt file in the tarball
  3. Error: Unable to display the reference properly. See the documentation for details.
  4. ngrep supported platforms
  5. ngrep and regular expressions
  6. ngrep usage