ngrep is one of my favourite CLI tools that I use with Linux, it’s very easy to use and just works really well. It’s like using tcpdump with a piped out grep command and some other sorting switches. The utility has been around for sometime and from the author’s page not much has changed in sometime, but why would it, the tool just works great!
Here is the description from the author’s site:
ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
Installation:
I’ve found the utility to be available in most Linux distributions repositories. Debian/Ubuntu:
sudo apt-get install ngrep
Fedora/Centos/Redhat:
sudo yum install ngrep
Examples:
Note: ngrep requires elevated privileges to gain access to your NIC, so either sudo or run as root depending on your distro and configuration.
If you want to see all the DNS traffic going to and from your system:
sudo ngrep -d eth0 port 53
Want to look at traffic going to and from your mail server:
sudo ngrep -d eth0 port 25 and src host 192.168.1.7
As you can see from the output, ngrep provides you with a conversation in a very cool and easy to read format. Here I’m sending a test email on an internal network using a internal SMTP server, which you can see clearly here!
interface: eth0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( port 25 and src host 192.168.1.7 )
##
T 192.168.1.7:25 -> 192.168.1.3:44708 [AP]
220 stingray Axigen ESMTP ready..
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [A]
......
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [AP]
250-stingray Axigen ESMTP hello..250-PIPELINING..250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI ..250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI ..250-8 BITMIME..250-BINARYMIME..250-CHUNKING..250-SIZE 52428800..250-STARTTLS..250-HELP..250 OK..
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [AP]
250 Sender accepted..
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [AP]
250 Recipient accepted..
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [AP]
354 Ready to receive data; remember <CRLF>.<CRLF>..
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [A]
......
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [AP]
250 Continue delivery..
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [AP]
221-stingray Axigen ESMTP is closing connection..221 Good bye..
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [AF]
......
#
T 192.168.1.7:25 -> 192.168.1.3:44708 [A]
......
exit
Obviously the above is only on a local system and not the entire network, if you want to have visibility for all the network, you need to be connected up to a span port or mirror or even better a network tap. Then you will see everything for the network going in and out, here is an example of looking at traffic going from the LAN network segment to another LAN segment for port 443.
sudo ngrep port 443 and src 192.168.1.0/24 and dst net 10.10.0.0/24
Use words to find something you want to be aware of, example look for the word password in a syslog stream:
sudo ngrep -d any 'password' port syslog
Dump to a pcap file for analyses with Wireshark or dump the pcap file with pre-defined filters. For example filter only for port 21 FTP:
sudo ngrep -O p21.pcap -d eth0 port 21
You could also use ngrep to search the pcap file for certain parameters, such PASS for the ftp password!:
sudo ngrep -w 'PASS' -I p21.pcap
input: p21.pcap
match: ((^PASS\W)|(\WPASS$)|(\WPASS\W))
####
T 172.16.16.3:46374 -> 10.10.100.54:21 [AP]
PASS ssde..
############exit
This is why FTP is useless for security!
ngrep is a very handy and powerful utility that I will always keep on hand now.
Reference:
man ngrep
http://ngrep.sourceforge.net
http://en.wikipedia.org/wiki/Ngrep