0

Network Analysis: Using ngrep

What is Ngrep?

We might want to analyze our network for many reasons. This may be during or after an attack or maybe just out of curiosity. Cause of this, there are tools to use, to make our job easier. Ngrep is the network version of the normal grep we know. It’s used to track and analyze the network traffic of HTTP, SMTP, FTP and more.

Setup:

 apt install ngrep

Example:

 ngrep -d any port 80

It will show all of the traffic on 80.port, we specified the network card with -d (eth0, wlan0 etc.)

I know this output looks quite confusing, so we should add another parameter to make it easier to read.

 ngrep -d any -W Byline port 80

To see all the SMTP traffic:

 ngrep -d any port 25

Nngrep, supports the BPF filtering logic so you can do the filtering of host, network, port, destination, source with variables like “and” “or” “not”

 ngrep -d wlan0 port 1234 or 4321 and host 12.12.12.12

We’re seeing the 12.12.12.12. packets that have 1234 or 4321 as their target or source port or IP. Let’s try it with a specific source IP and target this time.

 ngrep -d wlan0 port 4444 and src 192.168.1.212 and dst 192.168.1.54

We’re seeing the packets that go from 192.168.1.212 to 192.168.1.54 from port 4444. Now let’s look at the packets that have 192.168.1.212 as their source but don’t have 192.168.1.54 as their target.

ngrep -d wlan0 port 54321 and src 192.168.1.212 and dst not 192.168.1.54

Recording the Traffic

ngrep -O /root/http.dump -d any port http

As you can see, I wrote http on the port section. You can enter the port as a service instead of a number.

Sample Output:

You can open the previously saved file with the command below.

 ngrep -I file_name

 

 

Melisa Ayşe Demirel

Melisa Ayşe Demirel

KernelBlog.org | Author - Translator

Leave a Reply

Your email address will not be published. Required fields are marked *