Ngrep
Encyclopedia
ngrep is a network packet analyzer written by Jordan Ritter. It runs under the command line, and relies upon the pcap
library and the GNU
regex library.
ngrep support Berkeley Packet Filter
(BPF
) logic to select network sources or destinations or protocols, and also allow to match patterns or regular expressions in the data payload of packets using GNU
grep
syntax, showing packet data in a human-friendly way.
ngrep is an open source application, and the source code is available to download from the ngrep site at SourceForge. It can be compiled and ported to multiple platforms, it works in many UNIX-like
operating systems: Linux
, Solaris, BSD, AIX, and also works on Microsoft Windows
.
, but it has the ability to look for a regular expression
in the payload of the packet, and show the matching packets on a screen or console. It allows users to see all unencrypted traffic being passed over the network, by putting the network interface into promiscuous mode
.
ngrep with an appropriate BPF
filter syntax, can be used to debug plain text protocols interactions like HTTP, SMTP, FTP, DNS
, among others, or to search for a specific string
or pattern, using a grep
regular expression syntax.
ngrep also can be used to capture traffic on the wire and store pcap
dump files, or to read files generated by other sniffer applications, like tcpdump
, or wireshark
.
ngrep has various options or command line arguments.
The ngrep man page in UNIX-like
operating systems show a list of available options.
privileges on some platforms, especially on Unix-like
systems. ngrep default behavior is to drop privileges in those platforms, running under a specific unprivileged user.
Like tcpdump
, it is also possible to use ngrep for the specific purpose of intercepting and displaying the communications of another user or computer, or an entire network.
A privileged user running ngrep in a server o workstation connected to a device configured with port mirroring
on a switch
, router, or gateway
, or connected to any other device used for network traffic capture on a LAN
, MAN
, or WAN
, can watch all unencrypted information related to login ID's, passwords, or URL
s and content of websites being viewed in that network.
Pcap
In the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
library and the GNU
GNU
GNU is a Unix-like computer operating system developed by the GNU project, ultimately aiming to be a "complete Unix-compatible software system"...
regex library.
ngrep support Berkeley Packet Filter
Berkeley Packet Filter
The Berkeley Packet Filter or BPF provides, on some Unix-like systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received...
(BPF
Berkeley Packet Filter
The Berkeley Packet Filter or BPF provides, on some Unix-like systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received...
) logic to select network sources or destinations or protocols, and also allow to match patterns or regular expressions in the data payload of packets using GNU
GNU
GNU is a Unix-like computer operating system developed by the GNU project, ultimately aiming to be a "complete Unix-compatible software system"...
grep
Grep
grep is a command-line text-search utility originally written for Unix. The name comes from the ed command g/re/p...
syntax, showing packet data in a human-friendly way.
ngrep is an open source application, and the source code is available to download from the ngrep site at SourceForge. It can be compiled and ported to multiple platforms, it works in many UNIX-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating systems: Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, Solaris, BSD, AIX, and also works on Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
.
Functionality
ngrep is similar to tcpdumpTcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
, but it has the ability to look for a regular expression
Regular expression
In computing, a regular expression provides a concise and flexible means for "matching" strings of text, such as particular characters, words, or patterns of characters. Abbreviations for "regular expression" include "regex" and "regexp"...
in the payload of the packet, and show the matching packets on a screen or console. It allows users to see all unencrypted traffic being passed over the network, by putting the network interface into promiscuous mode
Promiscuous mode
In computer networking, promiscuous mode or promisc mode is a mode for a network interface controller that causes the NIC to pass all traffic it receives to the central processing unit rather than just passing frames the NIC is intended to receive...
.
ngrep with an appropriate BPF
Berkeley Packet Filter
The Berkeley Packet Filter or BPF provides, on some Unix-like systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received...
filter syntax, can be used to debug plain text protocols interactions like HTTP, SMTP, FTP, DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
, among others, or to search for a specific string
String (computer science)
In formal languages, which are used in mathematical logic and theoretical computer science, a string is a finite sequence of symbols that are chosen from a set or alphabet....
or pattern, using a grep
Grep
grep is a command-line text-search utility originally written for Unix. The name comes from the ed command g/re/p...
regular expression syntax.
ngrep also can be used to capture traffic on the wire and store pcap
Pcap
In the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
dump files, or to read files generated by other sniffer applications, like tcpdump
Tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
, or wireshark
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
.
ngrep has various options or command line arguments.
The ngrep man page in UNIX-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating systems show a list of available options.
Using ngrep
Typical use of ngrep.
- Capture network traffic incoming to eth0 interface and show parameters following HTTP GET or POST methods
ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
- Capture network traffic incoming to eth0 interface and show the HTTP User-Agent string
ngrep -l -q -d eth0 "User-Agent: " tcp and port 80
Security
Capturing raw network traffic from an interface requires special privileges or superuserSuperuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
privileges on some platforms, especially on Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
systems. ngrep default behavior is to drop privileges in those platforms, running under a specific unprivileged user.
Like tcpdump
Tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
, it is also possible to use ngrep for the specific purpose of intercepting and displaying the communications of another user or computer, or an entire network.
A privileged user running ngrep in a server o workstation connected to a device configured with port mirroring
Port mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion-detection system...
on a switch
Switch
In electronics, a switch is an electrical component that can break an electrical circuit, interrupting the current or diverting it from one conductor to another....
, router, or gateway
Gateway
A gateway is a point of entry or exit at which a gate may be hung.Gateway may also refer to:-Computer terminology:*Gateway , a computer or a network that allows or controls access to another computer or network...
, or connected to any other device used for network traffic capture on a LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
, MAN
Metropolitan area network
A metropolitan area network is a computer network that usually spans a city or a large campus. A MAN usually interconnects a number of local area networks using a high-capacity backbone technology, such as fiber-optical links, and provides up-link services to wide area networks and the...
, or WAN
Wide area network
A wide area network is a telecommunication network that covers a broad area . Business and government entities utilize WANs to relay data among employees, clients, buyers, and suppliers from various geographical locations...
, can watch all unencrypted information related to login ID's, passwords, or URL
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
s and content of websites being viewed in that network.
Supported Platforms
- LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
: Operating system running the linux kernelLinux kernelThe Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software.... - SolarisSolaris Operating SystemSolaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been owned by Oracle Corporation since Oracle's acquisition of Sun in January 2010....
: Unix operating system developed by Sun MicrosystemsSun MicrosystemsSun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982... - BSD: Unix operating system family (FreeBSDFreeBSDFreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, NetBSDNetBSDNetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
, OpenBSDOpenBSDOpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
) - Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
: Unix operating system developed by Apple Inc. - AIX, Unix operating system developed by IBMIBMInternational Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
- Windows, Operating system developed by MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Supported Protocols
- IPv4IPv4Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
and IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
, Internet Protocol version 4 and version 6 - TCPTransmission Control ProtocolThe Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
, Transmission Control Protocol - UDPUser Datagram ProtocolThe User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
, User Datagram Protocol - ICMPv4 and ICMPv6ICMPv6Internet Control Message Protocol version 6 is the implementation of the Internet Control Message Protocol for Internet Protocol version 6 defined in RFC 4443...
, Internet Control Message Protocol version 4 and version 6 - IGMP, Internet Group Management Protocol
- EthernetEthernetEthernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
, IEEE 802.3IEEE 802.3IEEE 802.3 is a working group and a collection of IEEE standards produced by the working group defining the physical layer and data link layer's media access control of wired Ethernet. This is generally a local area network technology with some wide area network applications... - PPPPoint-to-Point ProtocolIn networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
, Point to Point Protocol - SLIPSlip- In science and technology :* Slip , an aqueous suspension of minerals, and frequently deflocculant.* Slip , a positional displacement in a sequence of transmitted symbols...
, Serial Line Internet Protocol - FDDI, Fiber Data Distribution Protocol
- Token Ring, IEEE 802.5
See also
- tcpdumpTcpdumptcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
, a common packet analyzer that runs under the command line - pcapPcapIn the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
, an application programming interfaceApplication programming interfaceAn application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
(API) for capturing network trafficPacket snifferA packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network... - snoopSnoop (software)snoop is a very flexible command line packet analyzer included as part of Sun Microsystems' Solaris operating system. Its source code is available via the OpenSolaris project.For command line arguments see the snoop manpage.-See also:...
, a command line packet analyzer included with Solaris - wiresharkWiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
, a network packet analyzer featuring a GUIGuiGui or guee is a generic term to refer to grilled dishes in Korean cuisine. These most commonly have meat or fish as their primary ingredient, but may in some cases also comprise grilled vegetables or other vegetarian ingredients. The term derives from the verb, "gupda" in Korean, which literally...
and a command line interface - dsniffDSniffDsniff is a password sniffer written by Dug Song and a package of utilities that parse many different application protocols and extract interesting information....
, a packet snifferPacket snifferA packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
and set of traffic analysis tools - flowgrep, a tool written in pythonPython (programming language)Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
similar to ngrep