Grepping packets with Ngrep…

June 19, 2010 at 7:42 pm (Linux, Network, Sniffing, Unix)

Hey,

I was playing with a neat little tool the other day called, ngrep. Or Network Grep. It basically takes the functionality of the GNU grep utility and puts it to use on network layer packets 🙂 The following is a paragraph from the man page which helps sum it up better:

grep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump(8) and snoop(1).

Let’s take a quick look at one of the uses for ngrep that may seem attractive:

[zoidberg@/dev/null:~ ] $ sudo ngrep -d wlan0 -i 'USER|PASS' tcp port 21
interface: wlan0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 21 )
match: USER|PASS
############
T 192.168.1.68:39404 -> 130.89.149.226:21 [AP]
USER ftp..
##
T 130.89.149.226:21 -> 192.168.1.68:39404 [AP]
331 Please specify the password...
##
T 192.168.1.68:39404 -> 130.89.149.226:21 [AP]
PASS this.is.my@password.com..
############

Pretty neat huh? Another cool option worth looking into is -K (is kill matching TCP connections), however I will leave it up to your imagination to take it further… 🙂 If you find a neat use for this tool then please leave a comment, anyway, until the next time, see ya!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: