ngrep

Simple But Powerful Network Sniffer

Hendrik Weimer

2006-05-24

Normal version

For a network administrator it is essential to know what's happening on his network in order to debug problems. tcpdump is great for finding out who's talking to whom, but when it comes to look at the content of the communication it is rather inconvenient. ngrep is a much better choice for this job as it allows to search for packets with specific contents.

When ngrep is fired up it prints the content of the received packets to the standard output. There are two ways to limit the amount of packets. You can add filter expression to only record packets coming from specific hosts or going to certain ports. Since ngrep uses the pcap library to capture packets the syntax is the same as for tcpdump. You can even use ngrep on files created with tcpdump.

The other and more interesting possibility is to pick out packets with a specific content. As the name suggests, ngrep offers a syntax very similar to that of GNU grep. Using regular expressions to search for packets gives you a warm and fuzzy feeling. The following example shows how to search case-insensitively for user names and passwords for a POP3 server:

# ngrep -i -w 'user|pass' port 110
interface: eth0 (192.0.2.0/255.255.255.0)
filter: ip and ( port 110 )
match: ((\^user|pass\\W)|(\\Wuser|pass$)|(\\Wuser|pass\\W))
######
T 192.0.2.100:54367 -> 192.0.2.1:110 [AP]
user john..
####
T 192.0.2.100:54367 -> 192.0.2.1:110 [AP]
pass secret..

Sometimes it would be very convenient not so search through individual packets but on TCP flows, i.e. the whole communication between a client and a server. ngrep does not offer flow-based searches. In this respect the flowgrep project looks very promising, however it currently does not offer the robustness ngrep does.

The performance of ngrep is acceptable. Even searching through thousands of packets does not slow down the system much. However, if you have more complex regular expressions the CPU time required to search the packets goes up drastically.

ngrep provides several different output format, e.g. one with hexadecimal dumps and one particularly suited for scripting. Time stamps show the exact time a packet arrived or the interval between two captured packets.

In summary, ngrep is an indispensable tool for network admins. However, its flexibility allow other uses as well, for example for accounting or intrusion detection purposes.

ngrep
Version:1.44
Homepage:http://ngrep.sourceforge.net/
License:BSD-like (with advertising clause)
Distributions: [?]■ Debian stable■ Debian unstable
■ Fedora■ Mandriva
□ Suse■ Ubuntu
Pros:
Rating:

83

  • grep-like pattern matching
Cons:
  • No flow-based search

Copyright 2006–2008 OS Reviews. This document is available under the terms of the GNU Free Documentation License. See the licensing terms for further details.