Ngrep - A Network Analysis Tool

Intro....abcdefghijklmnopqrstuvwabcdefghi
Network troubleshooting often requires the use of aWeb
sniffer, and many network administratorsHypertext transport protocol (HTTP) is text based
automatically reach for tcpdump, which is usefuland shares all kinds of information between the
across many platforms. With the increasing numberserver and client. For example, to determine the
of protocols supported on IP, administrators oftenclient application that the client host is running,
need to look further into the payload of packets touse:ngrep -iq 'user-agent' tcp port 80
ensure that applications or users are providing(HTTP actually calls for a udp version as well, but it
information expected by the receiving IP stack.ngrephas never caught on.)
is a sniffer than can be used like tcpdump, and itThis particular case shows that the user is using lynx:
provides the additional capability of "grepping" theT 192.168.1.254:1065 -> 64.4.43.7:80 [AP]
packet's payload for particular matches. The regularGET / HTTP/1.0..Host: [ text/html, text/plain,audio
express support of ngrep tries to support resemblesmod, image/*, video/*, video/mpeg, application/pgp,
the GNU version of grep, which gives manyapplication/pgp, application/pdf, message/partial,
advanced feature such as printing lines after themessage/external-body, application/postscript, x-be2,
matched expression.ngrep is available at: requiresapplication/andrew-inset, text/richtext, text
libpcap, which is available at the tcpdump Web site: isenriched..Accept: x-sun-attachment, audio-file,
already on systems that have tcpdump installed.postscript-file, default, mail-file, sun-deskset-message,
Installation of ngrep is straightforward -- typically aapplication/x-metamail-patch, text/sgml, *
configure, make, and make install will have it up and*;q=0.01..Accept-Encoding: gzip,
running. Because it uses libpcap, a wide range ofcompress..Accept-Language: en
interfaces and operating systems are supported...User-Agent: Lynx/2.8.3dev.18 libwww-FM/2.14....
Usengrep, like tcpdump, can be used to print packetsOf course, the version of HTTP that is being used
matching a particular protocol. For example, you cancan be determined by using "HTTP" as the search
use the following to print all UDP packets:ngrep ''expression, or the server being run using "SERVER"
udpor ICMP packets with:ngrep '' icmpas the expression. Some attacks on Web servers try
Specific ports can be used. For example, the domainto request documents with periods as the file name,
name system (DNS) uses TCP or UDP ports 53,such as ../. ngrep can also check for these:ngrep '../'
so:ngrep '' port 53will show all DNS requests, such asT 192.168.1.100:1103 -> 10.1.1.1:80 [AP]
this request for [GET /../ HTTP/1.0..Host: [ text/html, text
U 192.168.1.100:1034 -> 4.2.2.1:53/plain, audio/mod, image/*, video/*, video/mpeg,
:............[application/pgp, application/pgp, application/pdf,
#message/partial, message/external-body,application
U 4.2.2.1:53 -> 192.168.1.100:1034postscript, x-be2, application/andrew-inset, text
:............[richtext
.. ...........J.k.............K.k.............A.k.............M.k...........G.k......., text/enriched..Accept: x-sun-attachment, audio-file,
......C.k.............I.k.............B.k.............Dpostscript-file
.k.I.......o...)...i......}.....QE...............C........'>....de........f......, default, mail-file, sun-deskset-message, application
.........BY...).&.........*....re........"....).e.........................Y...$........x-metamail-patch, text/sgml, video/mpeg, image
..07....j................. ;whereas ngrep '' tcp port 23 will printjpeg, image/tiff, image/x-rgb, image/png, image
telnet packets. (To determine the appropriate ports,x-xbitmap, image/x-xbm, image/gif..Accept: application
check /etc/services, or consult the Internet Assignedpostscript, */*;q=0.01..Accept-Encoding: gzip,
Numbers Authority at:compress..Accept-Language: en..User-Agent: Lynx
To troubleshoot Microsoft browsing traffic for the2.8.4dev.7 libwww-FM/2.14....
NT Domain BIGWORLD, you can use:ngrep '' port 138This same technique can be used to determine what
U 192.168.1.101:138 -> 192.168.1.255:138an ftp server is reporting as its version:ngrep '220'
.......e...... EOFFENECEFFCDJCACACACACACACACAAA.port 21
ABACFPFPENFDECFCEPFHFT 209.155.82.18:21 -> 192.168.1.100:1105 [AP]
DEFFPFPACAB..SMB%..............................(...................(.V220 FTP server (Version DG-4.0.62 974200128)
.........9.MAILSLOTBROWSE....'..BIGWORLD...........readyor to investigate Secure Shell, which can be
@.....NUMBER8.tough to debug during the first install:ngrep 'SSH' port
But to really take advantage of ngrep, just pick up22
the LILWORLD traffic:ngrep 'LILWORLD' port 138T 192.168.1.1:22 -> 192.168.1.100:1023 [AP]
SSH-1.5-1.2.27.
U 192.168.1.101:138 -> 192.168.1.255:138##
.......e...... EOFFENECEFFCDJCACACACACACACACAAA.T 192.168.1.100:1023 -> 192.168.1.1:22 [AP]
ABACFPFPENFDECFCEPFHFSSH-1.5-OpenSSH_2.1.1.
DEFFPFPACAB..SMB%..............................(...................(.VNeat Features of ngrep
.........9.MAILSLOTBROWSE....'..LILWORLD...........Some of the nicer features of ngrep are obvious to
@.....NUMBER9.systems administrators, but may be less obvious to
This could be very difficult to troubleshoot withnetwork administrators with light sys admin duties.
tcpdump in a larger network.Let's look at some of them:
Email* -A n -- The -A feature prints out "n" packets after
The simple mail transport protocol (SMTP) is anthe match. This could be useful, for example, to print
ASCII-based protocol, so ngrep can be useful forout several lines after the "to:" in the address header
troubleshooting SMTP email. For example, to monitorof smtp to get a more complete picture of the
current delivery and print sender and recipients,header.
use:ngrep -iq 'rcpt to|mail from' tcp port 25* -l -- Sometimes it is necessary to pipe the output
T 192.168.1.254:1043 -> 206.46.170.36:25 [AP]of grep to another program for more processing.
MAIL From: SIZE=42..However, normal ngrep behavior will seem sporadic
T +63.769851 192.168.1.254:1043 ->when piped to the other program because it first fills
206.46.170.36:25 [AP]its buffer before printing matching packets. By using
RCPT To:..the -l, the output will be printed immediately as
T 192.168.1.254:1043 -> 206.46.170.36:25 [AP]opposed to waiting for ngrep's buffer to fill before
RCPT To:..printing.
This may come in handy to identify the sender of* -v -- The -v will print all lines not matching the
the recent popular mail viruses that read Outlookexpression. This is useful during initial troubleshooting
address books and send the virus to other users.where a cause is not yet known, but you can
Version 3 of the post office protocol (POP3) can alsoassume it is not generated by the traffic you are
be tested in much the same way as SMTP. Forsending to the host from your remote host while
example, if it is possible that the user is misspellingaccessing the host. For example, if you telnet to the
the user name:ngrep 'user' port 110host to start troubleshooting, use:ngrep -v '' port
T 192.168.1.100:1889 -> 192.168.1.1:110 [AP]user23to see all the traffic but telnet.
test..* -d -- The -d allows you to specify the device you
ICMPwant to monitor. The complete path to the device
Most troubleshooting of ICMP can be achieved withname is not required. Thus:ngrep -d le0 ''will listen to
the ping commands, but there are differentle0 on a Solaris box.
implementations of ping. For example, MicrosoftSummaryngrep, like its cousin tcpdump, is handy for
operating systems fill the ICMP payload with thenetwork troubleshooting. With the addition of being
alphabet, so you can determine whether a host thatable to search with regular expressions, ngrep is
is pinging is actually a Windows machine with:ngrep -qworth adding to your network tool box. Weighing in
'abcd' icmpat a little over 100 K, it is also worth considering for
I 192.168.1.100 -> 192.168.1.254 8:0your emergency and network floppy distributions.