ngrep

Convenient packet matching and display tool

Supplementary instructions

ngrep command is the online version of grep command. It strives to have more grep features and is used to search for specified data packets. Because the libpcap library is required to install ngrep, it supports a large number of operating systems and network protocols. Able to identify TCP, UDP and ICMP packets, and understand the filtering mechanism of bpf.

Install

The download address of ngrep command: http://ngrep.sourceforge.net/, the download address of libpcap: http://www.tcpdump.org/. First use yum install libpcap to completely install libpcap. Note that sometimes incomplete installation with the libpcap installation package will affect the use of ngrep.

If yum cannot be installed, use the following steps to install libpcap:

wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
tar -zxf libpcap-1.3.0.tar.gz
cd libpcap-1.3.0
./configure
make && make install

The installation of ngrep is the configure/make/make install trilogy.

Note: When configuring, please wipe out all unused pcap installations, add the following options:

./configure --with-pcap-includes=/usr/local/include/pcap

After installation, enter ngrep to verify whether the installation is successful.

grammar

ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-w normal|byline|single|none> <-c cols>
<-P char> <-F file> <match expression> <bpf filter>

Options

-e # Display empty packets
-i # ignore case
-v #reverse match
-R # don't do privilege revocation logic
-x # Display in hexadecimal format
-X # Match in hexadecimal format
-w # Whole word match
-p # Do not use promiscuous mode
-l # make stdout line buffered
-D # replay pcap_dumps with their recorded time intervals
-t # Display timestamp before each matching packet
-T # Display the time interval between the last matching packets
-M # Only match single lines
-I # Read data from file for matching
-O # Save matching data to file
-n # Only capture the specified number of packets for viewing
-A # Dump the specified number of subsequent packets after matching the packet
-s #set the bpf caplen
-S # set the limitlen on matched packets
-W # Set the display format byline will parse the newline character in the package
-c # Force display column width
-P # set the non-printable display char to what is specified
-F # Use bpf (Berkeley Packet Filter) defined in the file
-N # Display the subprotocol number defined by IANA
-d #Which network card to use can be queried with the -L option
-L # Query the network card interface

Example

Capture the request and response of cloudian: port 18080. -W byline is used to parse the newline characters in the package. Otherwise, all the data in the package are continuous and the readability is poor. -d lo is to monitor the local network card:

ngrep -W byline -d lo port 18080

Capture amazon: request and response on port 80. -d eth0 is used to monitor the external network card:

ngrep -W byline -d eth0 port 80

You can use -d any to capture all packets:

ngrep '[a-zA-Z]' -t -W byline -d any tcp port 18080

Capture the string .flv, for example, to view the download address of the .flv file in the Web Flash video:

ngrep -d3 -N -q \.flv
interface: \Device\TNT_40_1_{670F6B50-0A13-4BAB-9D9E-994A833F5BA9} (10.132.0.0/2
55.255.192.0)
match: \.flv

Open a video page:

T(6) 10.132.34.23:24860 -> 61.142.208.154:80 [AP]
GET /f59.c31.56.com/flvdownload/12/19/ggyg7741@56.com_56flv_zhajm_119556973
97.flv HTTP/1.1..accept: */*..Referer: http://www.56.com/flashApp/v_player_
site.swf..x-flash-version: 9,0,45,0..UA-CPU: x86..Accept-Encoding: gzip, de
flate..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 2.0.50727; .NET CLR 3.0.04506.30)..host: f59.r.56.com..Connection: Keep
-Alive..Cookie: historyview=23423759-23635627-23423344-23171935-23058374-2
3081156-23207350-22395727-; geoip=............; wl_all_s=y....

OK. The address has been found, it is http://f59.c31.56.com/flvdownload/12/19/ggyg7741@56.com_56flv_zhajm_11955697397.flv

After adding the -W byline parameter, the newline characters in the package will be parsed:

T(6) 2007/11/25 15:56:12.192619 10.132.34.23:26365 -> 59.151.21.101:80 [AP]
GET /aa.flv HTTP/1.1.
Accept: */*.
Accept-Language: zh-cn.
UA-CPU: x86.
Accept-Encoding: gzip, deflate.
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.5072
7; .NET CLR 3.0.04506.30).
Host: www.google.cn.
Connection: Keep-Alive.
Cookie: PREF=id=a0b2932c336477e9:TB=4:NW=1:TM=1187877372:LM=1187956074:S=Y1Fzndp
rT3vFo7ac; SID=DQAAAHcAAABJCEXeOVLHu2rIfb5BfKP3GG9PbhJDEkXsLTV8y0f_lvSd2Y46Q0FPt
83CnEs9rxA1xBDM9mLR8-ckWeScyOQA8PyYnX5u5OjFvjfRbDg_FDZfwxhRzqS9KPZv26pjnsUxs0FDM
1xpJ5AgDn38pXtlCdkksJ0-cbiIWoA61oHWMg; NID=7=AvJxn5B6YOLLxoYz4LLzhIbNsQUQiulRS6U
JGxdBniQBmXm99y7L-NBNORN82N3unmZSGHFPfePVHnLK2MjYjglyXZhU9x7ETXNBnY3NurNijHDhJ7K
yi7E53UBOcv4V.