Sponsored by BindView
  Razor Home Razor HomePapers & Advisories Papers & AdvisoriesRazor Tools Tools  

ngrep 1.37

Network Grep
by Jordan Ritter

Goal
 To create a program that mimicks as much functionality of GNU grep as possible, applied at the network layer.

Description
 ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Parameters

  ngrep <-hviwqevxl> <-n num> <-d dev> <-a num>  

  -h  is help/usage
  -V  is version information
  -i  is ignore case
  -w  is word-regex (expression must match as a word)
  -q  is be quiet
  -e  is show empty packets
  -v  is invert match
  -x  is print in alternate hexdump format
  -l  is make stdout line buffered
  -n  is look at only num packets
  -d  is use a device different from the default (pcap)
  -A  is dump num packets after a match

  <regex>   is any extended regular expression (metachars are
            significant and don't have to be escaped)
  <filter>  is any pcap filter statement
Known Working Platforms

  • Linux 2.0.x, Linux 2.2.x (RH6+, SuSE, TurboLinux)/x86, alpha
  • Solaris 2.5.1, 2.6/SPARC, Solaris 7/x86
  • FreeBSD 2.2.5, 3.1, 3.2, 4.0
  • OpenBSD 2.4 (after upgrading pcap from 0.2)
  • Digital Unix V4.0D (OSF/1)
Examples
  • ngrep  -qd eth1  'www'  tcp port 80
    Be quiet, look only at tcp packets with either source or dest port 80 on interface eth1, look for anything matching 'www'. 
  • ngrep  -qd le0  in-addr  port 53
    Look at all packets with either source or dest port 53 on interface le0, that match match 'in-addr'. Be quiet. 
  • ngrep  'USER|PASS'  tcp port 21
    Look only at tcp packets with either source or dest port 21, look for anything resembling an FTP login. 
  • ngrep  -wi  'user|pass'  tcp port 21
    Look at tcp packets with either source or dest port 21, that match either 'user' or 'pass' (case insensitively) as a word. 
  • ngrep -wiA 2   'user|pass'  tcp port 21
    Alternatively, match either 'user' or 'pass' case insensitively, and dump the next 2 packets following (that match the bpf filter).


Download ngrep 1.37

Source:   ngrep-1.37.tar.gz

Binary:   ngrep-1.37-static-linux-elf.gz

 



Contact: info@razor.bindview.com | Fax: 508-485-0737 | Bindview Home