Ngrep (network grep) is a simple yet powerful network packet analyzer. It is a grep-like tool applied to the network layer – it matches traffic passing over a network interface. It allows you to specify an extended regular or hexadecimal expression to match against data payloads (the actual information or message in transmitted data, but not auto-generated metadata) of packets.
This tool works with various types of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP as well as Raw on a number of interfaces. It operates in the same fashion as tcpdump packet sniffing tool.
The package ngrep is available to install from the default system repositories in mainstream Linux distributions using package management tool as shown
$ sudo apt install ngrep
$ sudo yum install ngrep
$ sudo dnf install ngrep
After installing ngrep, you can start analyzing traffic on your Linux network using following examples.
1. The following command will help you match all ping requests on the default working interface. You need to open another terminal and try to ping another remote machine. The -q flag tell ngrep to work quietly, to not output any information other than packet headers and their payloads.
[code]$ sudo ngrep -q '.' 'icmp'interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .
I 192.168.0.104 -> 192.168.0.103 8:0
]...~oG[....j....................... !"#$%&'()*+,-./01234567
I 192.168.0.103 -> 192.168.0.104 0:0
]...~oG[....j....................... !"#$%&'()*+,-./01234567
I 192.168.0.104 -> 192.168.0.103 8:0
]....oG[............................ !"#$%&'()*+,-./01234567
I 192.168.0.103 -> 192.168.0.104 0:0
]....oG[............................ !"#$%&'()*+,-./01234567 [/code]
You can press Ctrl + C to terminate it.
2. To match only traffic going to a particular destination site, for instance ‘google.com’, run the following command, then try to access it from a browser.
[code]$ sudo ngrep -q '.' 'host google.com'interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>......p..@..EV..
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
.............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;.$@Yv.Q6[/code]
3. If you are surfing the web, then run the following command to monitor which files your browser is requesting:.
$ sudo ngrep -q '^GET .* HTTP/1.[01]'interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))
match: ^GET .* HTTP/1.[01]
T 192.168.0.104:43040 -> 172.217.160.174:80 [AP]
GET / HTTP/1.1..Host: google.com..User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64;
GNU C 4.8.5; text)..Accept: */*..Accept-Language: en,*;q=0.1..Accept-
Encoding: gzip, deflate, bzip2..Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,
ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,I
SO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256,
windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x-
kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8..Connection: keep-alive....
4. To see all activity crossing source or destination port 25 (SMTP), run the following command.
$ sudo ngrep port 25
5. To monitor any network-based syslog traffic for the occurrence of the word “error”, use the following command.
$ sudo ngrep -d any 'error' port 514
Importantly, this tool can convert service port names stored in “/etc/services” (on Unix-like systems such as Linux) to port numbers. This command is equivalent to the above command.
$ sudo ngrep -d any 'error' port syslog
6. You can also run ngrep against an HTTP server (port 80), it will match all requests to the destination host as shown.
$ sudo ngrep port 80
interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42167 -> 64.90.164.74:80 [AP]
GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i
686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat
ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi
f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, *
;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ
MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection:
Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....
##
As you can see in the above output all HTTP headers transmission are displayed in their gory detail. It’s hard to parse though, so let’s watch what happens when you apply -W byline mode.
$ sudo ngrep -W byline port 80
interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42177 -> 64.90.164.74:80 [AP]
GET / HTTP/1.1.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ...
Host: www.darkridge.com.
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ...
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1.
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0.
Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e.
Cookie2: $Version=1.
Cache-Control: no-cache.
Connection: Keep-Alive, TE.
TE: deflate, gzip, chunked, identity, trailers.
7. To print a timestamp in the form of YYYY/MM/DD HH:MM:SS.UUUUUU every time a packet is matched, use the -t flag.
[code]$ sudo ngrep -t -W byline port 80interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
####
T 2018/07/12 16:33:19.348084 192.168.0.104:43048 -> 172.217.160.174:80 [AP]
GET / HTTP/1.1.
Host: google.com.
User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text).
Accept: */*.
Accept-Language: en,*;q=0.1.
Accept-Encoding: gzip, deflate, bzip2.
Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,utf-8.
Connection: keep-alive.
[/code]
8. To avoid putting the interface being monitored into promiscuous mode (where it intercepts and reads each network packet that arrives in its entirety), add the -p flag.
$ sudo ngrep -p -W byline port 80
9. Another important option is -N which is useful in case you are observing raw or unknown protocols. It tells ngrep to display the sub-protocol number along with single-character identifier.
$ sudo ngrep -N -W byline
For more information, see the ngrep man page.
$ man ngrep
