RS
Uploaded byRishu Seth
5,427 views

Ngrep commands

ngrep is a network packet sniffer that allows filtering and matching regular expressions against TCP/IP and other protocols at the data link layer. It can be used to debug plaintext protocols, analyze anomalous network activity, and for security/hacking purposes. The document provides examples of ngrep commands and output, demonstrating how it can be used to inspect HTTP headers, filter traffic, and view output in both ASCII and hexadecimal formats.

Embed presentation

Downloaded 37 times
ngrep Rishu Seth rishu-seth@hotmail.com 15th February,2011 1 What is it + what it does? • network sniffer • from command line • network grep ← unix grep tool + network • many protocols supported (IP ICMP UDP TCP ETHERNET ...) • !! allows to specify regular or hexadecimal expressions to match against data payloads • common use: – debug plaintext protocols like FTP,HTTP,SNMP – id and analyze anomalous net activity (virus/zombies/authentication exploits) – hacking/security 2 Synopsis + examples of commands 2.1 Syntax: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump > < -n num > < -d dev > < -A num > < -s snaplen > < -S limitlen > < -W normal|byline|single|none > < -c cols > < -P char > < -F file > < match expression > < bpf filter > for the detailed description of the options see man page. (man ngrep) 1
2.2 Example of commands: • Example: Basic Packet Sniffing – To listen for traffic from x.x.x.x on port 25: :: ngrep host x.x.x.x and port 25 – Monitor all activity crossing source or destination port 25 (SMTP): :: ngrep -d any port 25 – Monitor any network-based syslog traffic for the occurrence of the word “error”. ngrep knows how to convert service port names (on UNIX, located in “/etc/services”) to port numbers. :: ngrep -d any ’error’ port syslog – Monitor any traffic crossing source or destination port 21 (FTP), looking case-insensitively for the words “user” or “pass”, matched as word-expressions (the match term(s) must have non-alphanumeric, delimiting characters surrounding them). :: ngrep -wi -d any ’user|pass’ port 21 3 Useful commands (from experimentation) 4 Example output sessions see http://ngrep.sourceforge.net/usage.html for more detailed examples 4.1 Example: Debugging HTTP interactions In certain scenarios it is desirous to see how web browsers communicate with web servers, and to inspect the HTTP headers and possibly cookie values that they are exchanging. In this example, we run an ngrep on a webserver. Since it only has one interface, eth0, we omit specifying the interface manually on the command line and allow ngrep to choose the default interface for us, for convenience. # ngrep port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42167 -> 64.90.164.74:80 [AP] GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i 686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, * 2
;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection: Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers.... ## T 64.90.164.74:80 -> 67.169.59.38:42167 [AP] HTTP/1.1 200 OK..Date: Mon, 29 Mar 2004 00:44:40 GMT..Server: Apache/2.0.49 (Unix)..Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT..ETag: "210e23-326-f8 200b40"..Accept-Ranges: bytes..Vary: Accept-Encoding,User-Agent..Content-En coding: gzip..Content-Length: 476..Keep-Alive: timeout=15, max=100..Connect ion: Keep-Alive..Content-Type: text/html; charset=ISO-8859-1..Content-Langu age: en..............}S]..0.|...........H...8........@......(.....Dw.%.,.. ;.k.....Y>q<........d ...........3.i..kdm.u@d{.Q......@..B1.0.2YI^..R..... ....X......X..y........,..(........1...g.......*...j..a.‘._@.W....0.....?. .R.K.j..Y.....>...;kw*U.j.<...0Tn.l.:......>Fs....’....h.’...u.H4..’.6.vID I.......N.r.O...}...I.w. ...mX...L.s..{.L.R..-...e....~nu..t.3...H..#..J... .u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m}..>/?..#........I ..I..4.P......2:...n8l.......!.Yr&... ## As you can see, all headers and aspects of the HTTP transmission are exposed in their gory detail. It’s a little hard to parse though, so let’s see what happens when “-W byline” mode is used: # ngrep -W byline port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42177 -> 64.90.164.74:80 [AP] GET / HTTP/1.1. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ... Host: www.darkridge.com. Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ... Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1. Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0. Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e. Cookie2: $Version=1. Cache-Control: no-cache. Connection: Keep-Alive, TE. TE: deflate, gzip, chunked, identity, trailers. . ## T 64.90.164.74:80 -> 67.169.59.38:42177 [AP] HTTP/1.1 200 OK. 3
Date: Mon, 29 Mar 2004 00:47:25 GMT. Server: Apache/2.0.49 (Unix). Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT. ETag: "210e23-326-f8200b40". Accept-Ranges: bytes. Vary: Accept-Encoding,User-Agent. Content-Encoding: gzip. Content-Length: 476. Keep-Alive: timeout=15, max=100. Connection: Keep-Alive. Content-Type: text/html; charset=ISO-8859-1. Content-Language: en. . ..........}S]..0.|...........H...8........@......(.....Dw.%.,..;.k.. ... .;kw*U.j.<...0Tn.l.:......>Fs....’....h.’...u.H4..’.6.vIDI.......N.r ... ..H..#..J....u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m ... #### (Content visually truncated for display purposes.) “-W byline” mode tells ngrep to respect embedded line feeds when they occur. You’ll note from the output above that there is still a trailing dot (“.”) on each line, which is the carriage-return portion of the CRLF pair. Using this mode, now the output has become much easier to visually parse 5 Different ways of using ngrep There are also various additional twists to theway ngrep can be used for ex- like the ability to include libpcap style packet filtering. Libpcap provides fairly simple language for filtering traffic. Filters are written by combining primitives with conjunctions( and ,or). Primitives can be preceeded with term ’not’. Primitives are normally formed with an id(can be numeric or symbolic name followed by one or more Qual- ifiers. There are three kind of qualifiers : • Type • Direction • Protocol 5.1 Type Qualifiers It describes what does the id refer to. Allowed options are : • Host 4
• Net • Port Various examples are host crashdummy test, net 192.168.10.2, port 80. 5.2 Directional Qualifiers It indicates the direction where traffic is flowing. Allowed qualifiers are : • src(source) • dst(destination) 5.3 Protocol Qualifiers It limits the capture packets to those of a single protocol. If it is not used then all ip packets are captured. For ex tcp, icmp or udp packets can be filtered. Also primitives can be negated and combined to develop more com- plex filters. For ex - if you want to see all traffic to ’rose’ except ’telnet’ and ’ftp-data ’you can use following filters : host dst rose and not port telnet and not port ftp - data 6 Some Command Line Switches Various common command line switches that are used with ngrep are as following : • -e : show empty packets • -n : match number of packets and then exit • -x : show packet in alternate hexa and ascii style 7 Some Examples with Data I tried various commands and got respective data’s for every command which are written and explained below : • sudo ngrep -d wlan0 port 80 - It gives us the data after listening to traffic on port 80 that is basically ’http’ traffic. T 10.17.236.12:32838 -> 74.125.230.81:80 [AP] GET /gen_204?atyp=i&ct=backbutton&cad=&ei=aFdaTfXPHJK14AbrkO2vDA&zx=1297750 513062 HTTP/1.1..Host: www.google.com..User-Agent: Mozilla/5.0 (X11; U; Lin 5
ux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/ 3.6.13..Accept: image/png,image/*;q=0.8,*/*;q=0.5..Accept-Language: en-us,e n;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q= 0.7,*;q=0.7..Keep-Alive: 115..Connection: keep-alive..Referer: http://www.g oogle.com/..Cookie: PREF=ID=94848ae271e094ae:U=89526b1f9a9b5069:FF=0:LD=en: CR=2:TM=1295223931:LM=1297438900:GM=1:S=xLOHwIcMJsimEVBc; NID=43=hD06P-eYjH T-tGvUAaU4lyBgcKBAkKRc_NYH-367UsZ3fORwE-d73fGCndgp2jFoTmSbO1RUoh78UmiWoD3x1 7XQkAggnPtElRV9FgAN5yH7eWIZkI9tv8PathJ5d1vz; GMAIL_RTT=37.... # T 74.125.230.81:80 -> 10.17.236.12:32838 [AP] HTTP/1.1 204 No Content..Content-Type: text/html; charset=UTF-8..Date: Tue, 15 Feb 2011 10:45:25 GMT..Server: gws..Content-Length: 0..X-XSS-Protection : 1; mode=block.... • Same command with grep for word ’Server’ and it separates out the data with word ’Server’ : sudo ngrep -d port 80 |grep Server Encoding: gzip..Server: gws..Content-Length: 8066..X-XSS-Protection: 1; mod eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws 15 Feb 2011 10:47:23 GMT..Server: gws..Content-Length: 0..X-XSS-Protection • Same command with grep for word ’Mozilla’ and it searches out the data with word ’Mozilla’ : Encoding: gzip..Server: gws..Content-Length: 8066..X-XSS-Protection: 1; mod eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws 15 Feb 2011 10:47:23 GMT..Server: gws..Content-Length: 0..X-XSS-Protection • Now with command - sudo ngrep -x -d wlan0 port 80 >xx.txt I got following data with hexadecimal and ascii formats. a0 5a 97 59 96 b2 04 55 bd 47 57 07 ef 22 34 a9 .Z.Y...U.GW.."4. 0a 02 e7 29 27 a8 2d 38 41 a2 1b 44 d5 2d 51 c6 ...)’.-8A..D.-Q. b1 3a a6 25 cc 09 ca b8 41 ed 68 78 94 bc 9e dc .:.%....A.hx.... 6
9e 02 35 55 17 2f 9d 28 01 3b 42 e2 77 bb d4 f9 ..5U./.(.;B.w... 3b 57 eb a9 59 d2 26 55 01 f3 b4 6e e3 e9 e8 fe ;W..Y.&U...n.... 98 b9 33 72 9f d0 13 da 3a a7 45 9a b0 73 68 d4 ..3r....:.E..sh. 0e d4 80 6e 06 6e 17 fb 98 c9 92 9e c5 db e4 ba ...n.n.......... e2 29 3e fe d9 81 3a a8 f8 c0 81 13 c0 08 29 b4 .)>...:.......). ee df e9 c0 06 01 88 16 88 a6 d3 08 36 47 a3 ef ............6G.. ec e9 52 32 93 b8 28 be c7 3a c6 d5 94 a0 f0 fb ..R2..(..:...... b7 dc 28 dd de fd 5d fa dd 91 d9 6f a3 c6 7f eb ..(...]....o.... ec b7 db 2c dd 52 aa 5e 1a cc 19 ea c5 b7 eb 10 ...,.R.^........ 31 16 65 f4 67 aa 05 c9 d9 b7 c8 4b 51 fb 63 df 1.e.g......KQ.c. de c3 2c 60 5d 0b 9d c8 8b f9 9e 82 11 35 0e 1d ..,‘]........5.. d5 55 2c fb 1b e3 74 59 26 d4 0e ab d5 5a 8b bd .U,...tY&....Z.. 08 59 8b ef 8d cc 3d a3 44 bd 5a ed 35 3b cd b8 .Y....=.D.Z.5;.. f4 2a 04 fe 2c cd 58 b4 5c b0 f3 bc 84 9d 1e a0 .*..,.X........ 87 48 80 d6 51 ae 09 a8 00 eb b1 21 c4 ae b0 16 .H..Q......!.... 2d ba 62 b8 79 13 8f d7 b3 c2 6e 95 95 22 1b 4e -.b.y.....n..".N 93 1e ac 8e 89 02 ab b7 a1 69 This command shows data in hexadecimal and ascii format and from above data i can see that in ascii format there are many dots n we are not able to figure out what kind of data it is but in hexadecimal format it is having some value and may be if we have a hexadecimal interpreter we can try and figure out what actually it means. • I saved this data in file called xx.txt and now with awk command we can separate out the whole column or intended lines out of it with help of command : cat xx.txt |awk -F ’ ’ ’print $3’ It will print the third column for me. A.{,.6t......(.. }8.l....J..]... ..9j....~..N/2r. Z)P.x..g.......f ..j...n..R$.R.L. .Z.Y...U.GW.."4. ...)’.-8A..D.-Q. .:.%....A.hx.... ..5U./.(.;B.w... ;W..Y.&U...n.... ..3r....:.E..sh. ...n.n.......... .)>...:.......). 7
............6G.. ..R2..(..:...... ..(...]....o.... ...,.R.^........ 1.e.g......KQ.c. ..,‘]........5.. .U,...tY&....Z.. .Y....=.D.Z.5;.. .*..,.X........ .H..Q......!.... -.b.y.....n..".N Similarly we can extract out 1st or 2nd column of hexadecimal format also if we can interpret it with some other process to get some data out of it which is not visible or understandable in ascii format. 8

More Related Content

PDF
Linux Network commands
byHanan Nmr
 
PDF
Introduction to tcpdump
byLev Walkin
 
PPTX
Introduction to tcp ip linux networking
bySreenatha Reddy K R
 
PPTX
Linux networking commands
bySayed Ahmed
 
PDF
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
bySam Kim
 
PPTX
Linux networking
byArie Bregman
 
PPTX
Using metasploit
byCyberRad
 
PDF
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
byidsecconf
 
Linux Network commands
byHanan Nmr
 
Introduction to tcpdump
byLev Walkin
 
Introduction to tcp ip linux networking
bySreenatha Reddy K R
 
Linux networking commands
bySayed Ahmed
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
bySam Kim
 
Linux networking
byArie Bregman
 
Using metasploit
byCyberRad
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
byidsecconf
 

What's hot

PDF
Tcpdump
byMohamed Gamel
 
PDF
Make container without_docker_7
bySam Kim
 
PPTX
Tcpdump
bySourav Roy
 
PPT
Realtime Communication Techniques with PHP
byWaterSpout
 
PDF
Make container without_docker_6-overlay-network_1
bySam Kim
 
PDF
Fun with Network Interfaces
byKernel TLV
 
PPT
Linux Networking Commands
bytmavroidis
 
PPTX
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 
PDF
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
byEleanor McHugh
 
PDF
Open ssh cheet sheat
byPiyush Mittal
 
PDF
introduction to linux kernel tcp/ip ptocotol stack
bymonad bobo
 
PPTX
Writing and using php streams and sockets
byElizabeth Smith
 
PDF
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
byMoabi.com
 
PPTX
#2 (UDP)
byGhadeer AlHasan
 
PDF
Python for Penetration testers
byChristian Martorella
 
PDF
Fun with FUSE
byKernel TLV
 
RTF
Useful linux-commands
byHimani Singh
 
PDF
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
bySam Kim
 
DOCX
Udp socket programming(Florian)
byFlor Ian
 
PDF
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
byAnne Nicolas
 
Tcpdump
byMohamed Gamel
 
Make container without_docker_7
bySam Kim
 
Tcpdump
bySourav Roy
 
Realtime Communication Techniques with PHP
byWaterSpout
 
Make container without_docker_6-overlay-network_1
bySam Kim
 
Fun with Network Interfaces
byKernel TLV
 
Linux Networking Commands
bytmavroidis
 
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
byEleanor McHugh
 
Open ssh cheet sheat
byPiyush Mittal
 
introduction to linux kernel tcp/ip ptocotol stack
bymonad bobo
 
Writing and using php streams and sockets
byElizabeth Smith
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
byMoabi.com
 
#2 (UDP)
byGhadeer AlHasan
 
Python for Penetration testers
byChristian Martorella
 
Fun with FUSE
byKernel TLV
 
Useful linux-commands
byHimani Singh
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
bySam Kim
 
Udp socket programming(Florian)
byFlor Ian
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
byAnne Nicolas
 

Similar to Ngrep commands

PPTX
Tcpdump hunter
byAndrew McNicol
 
PDF
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
PDF
Network Situational Awareness with d00gle
byDug Song
 
PDF
Ch 5: Port Scanning
bySam Bowne
 
PPT
Traffic-Monitoring.ppt
byToffeeLomerz
 
PPT
Traffic-Monitoring.ppt
bySenthil Vit
 
PPT
Traffic-Monitoring.ppt
byssuser0a05422
 
DOCX
Backtrack Manual Part5
byNutan Kumar Panda
 
PDF
Linuxnetworkingcommands
byManikanta Pushadapu
 
PDF
Netcat - 101 Swiss Army Knife
byn|u - The Open Security Community
 
PDF
Netcat 101 by-mahesh-beema
byRaghunath G
 
PDF
Hackerworkshop exercises
byHenrik Kramshøj
 
PPTX
USE_OF_PACKET_CAPTURE.pptx
byrajaguru91
 
PDF
Chapter 3 footprinting
bySetia Juli Irzal Ismail
 
PPTX
4-2.Scanning and Enumeration Presentation Slides (1).pptx
byyeshwanthwp130
 
KEY
tit
byChristian Heinrich
 
PPT
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
bymasoodnt10
 
PPT
Traffic monitoring
byRadu Galbenu
 
PDF
Black_Hat_Python_Python_Programming_for_Hackers_and_Pentesters.pdf
byBoucif David
 
PDF
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 
Tcpdump hunter
byAndrew McNicol
 
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
Network Situational Awareness with d00gle
byDug Song
 
Ch 5: Port Scanning
bySam Bowne
 
Traffic-Monitoring.ppt
byToffeeLomerz
 
Traffic-Monitoring.ppt
bySenthil Vit
 
Traffic-Monitoring.ppt
byssuser0a05422
 
Backtrack Manual Part5
byNutan Kumar Panda
 
Linuxnetworkingcommands
byManikanta Pushadapu
 
Netcat - 101 Swiss Army Knife
byn|u - The Open Security Community
 
Netcat 101 by-mahesh-beema
byRaghunath G
 
Hackerworkshop exercises
byHenrik Kramshøj
 
USE_OF_PACKET_CAPTURE.pptx
byrajaguru91
 
Chapter 3 footprinting
bySetia Juli Irzal Ismail
 
4-2.Scanning and Enumeration Presentation Slides (1).pptx
byyeshwanthwp130
 
tit
byChristian Heinrich
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
bymasoodnt10
 
Traffic monitoring
byRadu Galbenu
 
Black_Hat_Python_Python_Programming_for_Hackers_and_Pentesters.pdf
byBoucif David
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 

More from Rishu Seth

PPTX
Role of Testing
byRishu Seth
 
PDF
MicazXpl
byRishu Seth
 
PPTX
Simulation of insulin pump
byRishu Seth
 
PPTX
ATCM presentation
byRishu Seth
 
PDF
Topo intro wsn
byRishu Seth
 
PDF
Micazxpl wsn
byRishu Seth
 
PDF
Mts srcp
byRishu Seth
 
PDF
Energy control wsn
byRishu Seth
 
PDF
Wsn topologies intro
byRishu Seth
 
PDF
Rssi report
byRishu Seth
 
PDF
Sliding window protocol
byRishu Seth
 
PDF
Dist sniffing & scanning project
byRishu Seth
 
PDF
Air traffic control
byRishu Seth
 
Role of Testing
byRishu Seth
 
MicazXpl
byRishu Seth
 
Simulation of insulin pump
byRishu Seth
 
ATCM presentation
byRishu Seth
 
Topo intro wsn
byRishu Seth
 
Micazxpl wsn
byRishu Seth
 
Mts srcp
byRishu Seth
 
Energy control wsn
byRishu Seth
 
Wsn topologies intro
byRishu Seth
 
Rssi report
byRishu Seth
 
Sliding window protocol
byRishu Seth
 
Dist sniffing & scanning project
byRishu Seth
 
Air traffic control
byRishu Seth
 

Recently uploaded

PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
The year in review - MarvelClient in 2025
bypanagenda
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
cybercrime in Information security .pptx
byismaeelsahib032
 

Ngrep commands

  • 1.
    ngrep Rishu Seth rishu-seth@hotmail.com 15th February,2011 1 What is it + what it does? • network sniffer • from command line • network grep ← unix grep tool + network • many protocols supported (IP ICMP UDP TCP ETHERNET ...) • !! allows to specify regular or hexadecimal expressions to match against data payloads • common use: – debug plaintext protocols like FTP,HTTP,SNMP – id and analyze anomalous net activity (virus/zombies/authentication exploits) – hacking/security 2 Synopsis + examples of commands 2.1 Syntax: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump > < -n num > < -d dev > < -A num > < -s snaplen > < -S limitlen > < -W normal|byline|single|none > < -c cols > < -P char > < -F file > < match expression > < bpf filter > for the detailed description of the options see man page. (man ngrep) 1
  • 2.
    2.2 Example of commands: • Example: Basic Packet Sniffing – To listen for traffic from x.x.x.x on port 25: :: ngrep host x.x.x.x and port 25 – Monitor all activity crossing source or destination port 25 (SMTP): :: ngrep -d any port 25 – Monitor any network-based syslog traffic for the occurrence of the word “error”. ngrep knows how to convert service port names (on UNIX, located in “/etc/services”) to port numbers. :: ngrep -d any ’error’ port syslog – Monitor any traffic crossing source or destination port 21 (FTP), looking case-insensitively for the words “user” or “pass”, matched as word-expressions (the match term(s) must have non-alphanumeric, delimiting characters surrounding them). :: ngrep -wi -d any ’user|pass’ port 21 3 Useful commands (from experimentation) 4 Example output sessions see http://ngrep.sourceforge.net/usage.html for more detailed examples 4.1 Example: Debugging HTTP interactions In certain scenarios it is desirous to see how web browsers communicate with web servers, and to inspect the HTTP headers and possibly cookie values that they are exchanging. In this example, we run an ngrep on a webserver. Since it only has one interface, eth0, we omit specifying the interface manually on the command line and allow ngrep to choose the default interface for us, for convenience. # ngrep port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42167 -> 64.90.164.74:80 [AP] GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i 686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, * 2
  • 3.
    ;q=0.1..Accept-Encoding: deflate, gzip,x-gzip, identity, *;q=0..Cookie: SQ MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection: Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers.... ## T 64.90.164.74:80 -> 67.169.59.38:42167 [AP] HTTP/1.1 200 OK..Date: Mon, 29 Mar 2004 00:44:40 GMT..Server: Apache/2.0.49 (Unix)..Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT..ETag: "210e23-326-f8 200b40"..Accept-Ranges: bytes..Vary: Accept-Encoding,User-Agent..Content-En coding: gzip..Content-Length: 476..Keep-Alive: timeout=15, max=100..Connect ion: Keep-Alive..Content-Type: text/html; charset=ISO-8859-1..Content-Langu age: en..............}S]..0.|...........H...8........@......(.....Dw.%.,.. ;.k.....Y>q<........d ...........3.i..kdm.u@d{.Q......@..B1.0.2YI^..R..... ....X......X..y........,..(........1...g.......*...j..a.‘._@.W....0.....?. .R.K.j..Y.....>...;kw*U.j.<...0Tn.l.:......>Fs....’....h.’...u.H4..’.6.vID I.......N.r.O...}...I.w. ...mX...L.s..{.L.R..-...e....~nu..t.3...H..#..J... .u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m}..>/?..#........I ..I..4.P......2:...n8l.......!.Yr&... ## As you can see, all headers and aspects of the HTTP transmission are exposed in their gory detail. It’s a little hard to parse though, so let’s see what happens when “-W byline” mode is used: # ngrep -W byline port 80 interface: eth0 (64.90.164.72/255.255.255.252) filter: ip and ( port 80 ) #### T 67.169.59.38:42177 -> 64.90.164.74:80 [AP] GET / HTTP/1.1. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ... Host: www.darkridge.com. Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ... Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1. Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0. Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e. Cookie2: $Version=1. Cache-Control: no-cache. Connection: Keep-Alive, TE. TE: deflate, gzip, chunked, identity, trailers. . ## T 64.90.164.74:80 -> 67.169.59.38:42177 [AP] HTTP/1.1 200 OK. 3
  • 4.
    Date: Mon, 29Mar 2004 00:47:25 GMT. Server: Apache/2.0.49 (Unix). Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT. ETag: "210e23-326-f8200b40". Accept-Ranges: bytes. Vary: Accept-Encoding,User-Agent. Content-Encoding: gzip. Content-Length: 476. Keep-Alive: timeout=15, max=100. Connection: Keep-Alive. Content-Type: text/html; charset=ISO-8859-1. Content-Language: en. . ..........}S]..0.|...........H...8........@......(.....Dw.%.,..;.k.. ... .;kw*U.j.<...0Tn.l.:......>Fs....’....h.’...u.H4..’.6.vIDI.......N.r ... ..H..#..J....u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m ... #### (Content visually truncated for display purposes.) “-W byline” mode tells ngrep to respect embedded line feeds when they occur. You’ll note from the output above that there is still a trailing dot (“.”) on each line, which is the carriage-return portion of the CRLF pair. Using this mode, now the output has become much easier to visually parse 5 Different ways of using ngrep There are also various additional twists to theway ngrep can be used for ex- like the ability to include libpcap style packet filtering. Libpcap provides fairly simple language for filtering traffic. Filters are written by combining primitives with conjunctions( and ,or). Primitives can be preceeded with term ’not’. Primitives are normally formed with an id(can be numeric or symbolic name followed by one or more Qual- ifiers. There are three kind of qualifiers : • Type • Direction • Protocol 5.1 Type Qualifiers It describes what does the id refer to. Allowed options are : • Host 4
  • 5.
    • Net • Port Various examples are host crashdummy test, net 192.168.10.2, port 80. 5.2 Directional Qualifiers It indicates the direction where traffic is flowing. Allowed qualifiers are : • src(source) • dst(destination) 5.3 Protocol Qualifiers It limits the capture packets to those of a single protocol. If it is not used then all ip packets are captured. For ex tcp, icmp or udp packets can be filtered. Also primitives can be negated and combined to develop more com- plex filters. For ex - if you want to see all traffic to ’rose’ except ’telnet’ and ’ftp-data ’you can use following filters : host dst rose and not port telnet and not port ftp - data 6 Some Command Line Switches Various common command line switches that are used with ngrep are as following : • -e : show empty packets • -n : match number of packets and then exit • -x : show packet in alternate hexa and ascii style 7 Some Examples with Data I tried various commands and got respective data’s for every command which are written and explained below : • sudo ngrep -d wlan0 port 80 - It gives us the data after listening to traffic on port 80 that is basically ’http’ traffic. T 10.17.236.12:32838 -> 74.125.230.81:80 [AP] GET /gen_204?atyp=i&ct=backbutton&cad=&ei=aFdaTfXPHJK14AbrkO2vDA&zx=1297750 513062 HTTP/1.1..Host: www.google.com..User-Agent: Mozilla/5.0 (X11; U; Lin 5
  • 6.
    ux x86_64; en-US;rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/ 3.6.13..Accept: image/png,image/*;q=0.8,*/*;q=0.5..Accept-Language: en-us,e n;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q= 0.7,*;q=0.7..Keep-Alive: 115..Connection: keep-alive..Referer: http://www.g oogle.com/..Cookie: PREF=ID=94848ae271e094ae:U=89526b1f9a9b5069:FF=0:LD=en: CR=2:TM=1295223931:LM=1297438900:GM=1:S=xLOHwIcMJsimEVBc; NID=43=hD06P-eYjH T-tGvUAaU4lyBgcKBAkKRc_NYH-367UsZ3fORwE-d73fGCndgp2jFoTmSbO1RUoh78UmiWoD3x1 7XQkAggnPtElRV9FgAN5yH7eWIZkI9tv8PathJ5d1vz; GMAIL_RTT=37.... # T 74.125.230.81:80 -> 10.17.236.12:32838 [AP] HTTP/1.1 204 No Content..Content-Type: text/html; charset=UTF-8..Date: Tue, 15 Feb 2011 10:45:25 GMT..Server: gws..Content-Length: 0..X-XSS-Protection : 1; mode=block.... • Same command with grep for word ’Server’ and it separates out the data with word ’Server’ : sudo ngrep -d port 80 |grep Server Encoding: gzip..Server: gws..Content-Length: 8066..X-XSS-Protection: 1; mod eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws 15 Feb 2011 10:47:23 GMT..Server: gws..Content-Length: 0..X-XSS-Protection • Same command with grep for word ’Mozilla’ and it searches out the data with word ’Mozilla’ : Encoding: gzip..Server: gws..Content-Length: 8066..X-XSS-Protection: 1; mod eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... eb 2011 10:47:22 GMT..Server: sffe..X-XSS-Protection: 1; mode=block.... HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws HTTP/1.1 304 Not Modified..Date: Tue, 15 Feb 2011 10:47:22 GMT..Server: gws 15 Feb 2011 10:47:23 GMT..Server: gws..Content-Length: 0..X-XSS-Protection • Now with command - sudo ngrep -x -d wlan0 port 80 >xx.txt I got following data with hexadecimal and ascii formats. a0 5a 97 59 96 b2 04 55 bd 47 57 07 ef 22 34 a9 .Z.Y...U.GW.."4. 0a 02 e7 29 27 a8 2d 38 41 a2 1b 44 d5 2d 51 c6 ...)’.-8A..D.-Q. b1 3a a6 25 cc 09 ca b8 41 ed 68 78 94 bc 9e dc .:.%....A.hx.... 6
  • 7.
    9e 02 35 55 17 2f 9d 28 01 3b 42 e2 77 bb d4 f9 ..5U./.(.;B.w... 3b 57 eb a9 59 d2 26 55 01 f3 b4 6e e3 e9 e8 fe ;W..Y.&U...n.... 98 b9 33 72 9f d0 13 da 3a a7 45 9a b0 73 68 d4 ..3r....:.E..sh. 0e d4 80 6e 06 6e 17 fb 98 c9 92 9e c5 db e4 ba ...n.n.......... e2 29 3e fe d9 81 3a a8 f8 c0 81 13 c0 08 29 b4 .)>...:.......). ee df e9 c0 06 01 88 16 88 a6 d3 08 36 47 a3 ef ............6G.. ec e9 52 32 93 b8 28 be c7 3a c6 d5 94 a0 f0 fb ..R2..(..:...... b7 dc 28 dd de fd 5d fa dd 91 d9 6f a3 c6 7f eb ..(...]....o.... ec b7 db 2c dd 52 aa 5e 1a cc 19 ea c5 b7 eb 10 ...,.R.^........ 31 16 65 f4 67 aa 05 c9 d9 b7 c8 4b 51 fb 63 df 1.e.g......KQ.c. de c3 2c 60 5d 0b 9d c8 8b f9 9e 82 11 35 0e 1d ..,‘]........5.. d5 55 2c fb 1b e3 74 59 26 d4 0e ab d5 5a 8b bd .U,...tY&....Z.. 08 59 8b ef 8d cc 3d a3 44 bd 5a ed 35 3b cd b8 .Y....=.D.Z.5;.. f4 2a 04 fe 2c cd 58 b4 5c b0 f3 bc 84 9d 1e a0 .*..,.X........ 87 48 80 d6 51 ae 09 a8 00 eb b1 21 c4 ae b0 16 .H..Q......!.... 2d ba 62 b8 79 13 8f d7 b3 c2 6e 95 95 22 1b 4e -.b.y.....n..".N 93 1e ac 8e 89 02 ab b7 a1 69 This command shows data in hexadecimal and ascii format and from above data i can see that in ascii format there are many dots n we are not able to figure out what kind of data it is but in hexadecimal format it is having some value and may be if we have a hexadecimal interpreter we can try and figure out what actually it means. • I saved this data in file called xx.txt and now with awk command we can separate out the whole column or intended lines out of it with help of command : cat xx.txt |awk -F ’ ’ ’print $3’ It will print the third column for me. A.{,.6t......(.. }8.l....J..]... ..9j....~..N/2r. Z)P.x..g.......f ..j...n..R$.R.L. .Z.Y...U.GW.."4. ...)’.-8A..D.-Q. .:.%....A.hx.... ..5U./.(.;B.w... ;W..Y.&U...n.... ..3r....:.E..sh. ...n.n.......... .)>...:.......). 7
  • 8.
    ............6G.. ..R2..(..:...... ..(...]....o.... ...,.R.^........ 1.e.g......KQ.c. ..,‘]........5.. .U,...tY&....Z.. .Y....=.D.Z.5;.. .*..,.X........ .H..Q......!.... -.b.y.....n..".N Similarly we canextract out 1st or 2nd column of hexadecimal format also if we can interpret it with some other process to get some data out of it which is not visible or understandable in ascii format. 8