Network Analysis: Ngrep
What is ngrep?
You may want to do network analysis for many reasons. This may be during or after an attack or just out of pure curiosity. That’s why there’s some tools to help you analyze your network easier. Ngrep is the network version of the grep tool. It’s used to track and analyze any kind of network traffic (like HTTP, SMTP, FTP etc.).
Now the tool will print all traffic on port 80. By using “-d” we specified the network card. (eth0, wlan0 etc.)
This print is kind of messy, isn’t it? We can add another parameter to fix that!
To see all SMTP traffic:
ngrep supports the BPF filtering logic so you can use “and” , “or” , “not” parameters and do filtering process with host, network, port, destination, source variables.
We’re seeing packets that have their target or source port as 1234 or 4321 and packets that have their target or source IP as 220.127.116.11
Now let’s specify the target IP and port.
We’re seeing packets going to 192.168.1.54 from 192.168.1.212 on 4444. port.
Now let’s look at packets that have their source as 192.168.1.212 but don’t have their target as 192.168.1.54
Recording the Traffic
If you pay attention, I wrote http in the port section. You can search a port as a service and not only as a number.
You can open previously recorded traffic using the command below: