Network Grep for the Folks Who Love to Grep!

Network grep (ngrep) is a great program that allows you to search and filter network packets rather quickly. There is some resemblance to the well-known Linux grep program. Ngrep can analyze live traffic or saved pcaps. The man pages for ngrep are rather straightforward. Ngrep currently recognizes IPv4/ 6, TCP, UDP, ICMPv4/6 and IGMP. The program also understands regular and hex expressions, which is a huge benefit. In the simplest terms, ngrep applies the most common features of grep at the network layer. A few key switches that I will typically use are below but a full list can be found on the man pages.

-q | Will ‘quiet’ the output by printing only packet headers and relevant payloads
-t | Print the timestamp every time there is a match
-i | Ignore case
-I | Read in saved pcap
-w | Expression must match word – regex
-W byline | Linefeeds are printed as linefeeds, making the output pretty and more legible
-s | Set BPF capture length

Below are a few examples of common usages of ngrep.

This command will query all interfaces and protocols for a string match of ‘HTTP’.

ngrep -q 'HTTP'

If you have a network capture file in .pcap format, use -I $FILE to filter the capture instead of a network interface. This can be handy, for example, if you have a record of a networking event and you need to do a quick analysis.

ngrep -I some_capture.pcap

Reverse of the above command, using only the -O flag will filter against a network interface and copy the matched packets into a capture file in .pcap format.

ngrep -O network_capture.pcap -q 'HTTP'

Search for .exe

ngrep -I attack-trace .pcap -W byline ".exe" –i

Monitor for current email transactions and print the addresses.

ngrep -i ‘rcpt to|mail from’ tcp port smtp

This will grab the password and username of all ftp sessions.

ngrep -i -q ‘pass|user’ port 21

Capture network traffic incoming to eth0 interface and show parameters following HTTP GET or POST methods

ngrep -n -d eth0 “GET |POST ” tcp and port 80

Monitor all traffic on your network using port 80 with a source IP of 12.34.56.78

ngrep port 80 and src host 12.34.56.78

Monitor all traffic on your network using port 80 with a source IP of 12.34.56.78 and destination of 98.76.54.32

ngrep port 80 and src host 12.34.56.78 and dst host 98.76.54.32

Search the word “login” tranversing port 23 using regex

ngrep -wi "login" port 23

The match expression can be combined with a pcap filter. For example, suppose we wanted to look for DNS traffic mentioning cyberfibers.com

ngrep -q -W byline cyberfibers.com udp port 53

Berkley packet filter (bpf) adds to the flexibility of ngrep. Bpf specifies a rich syntax for filtering network packets based on information such as IP address, IP protocol, and port number.

IP address

ngrep -q 'HTTP' 'host 192.168' matches all headers containing the string 'HTTP' sent to or from the ip address starting with “192.168”
ngrep -q 'HTTP' 'dst host 192.168' will do as above, but instead match a destination host
ngrep -q 'HTTP' 'src host 192.168' will do as above, but instead match a source host

IP protocol

ngrep -q 'HTTP' 'tcp'
ngrep -q 'HTTP' 'udp'
ngrep -q 'HTTP' 'icmp'

Port number

ngrep -q 'HTTP' 'port 80'

For even more granularity, you can combine primitives using boolean connectives and, or and not to really specify what your looking for.