KernelBlog

Touch The Technology

Cyber Security

Network Analysis: Ngrep

What is ngrep?

You may want to do network analysis for many reasons. This may be during or after an attack or just out of pure curiosity. That’s why there’s some tools to help you analyze your network easier. Ngrep is the network version of the grep tool. It’s used to track and analyze any kind of network traffic (like HTTP, SMTP, FTP etc.).

Setup:

apt install ngrep

Example:

ngrep -d any port 80

Now the tool will print all traffic on port 80. By using “-d” we specified the network card. (eth0, wlan0 etc.)

This print is kind of messy, isn’t it? We can add another parameter to fix that!

ngrep -d any -W Byline port 80

To see all SMTP traffic:

ngrep -d any port 25
Text says “Hello kernelblog”

ngrep supports the BPF filtering logic so you can use “and” , “or” , “not” parameters and do filtering process with host, network, port, destination, source variables.

ngrep -d wlan0 port 1234 or 4321 and host 12.12.12.12
Text on port 1234 says “Hello from 1234th port”

We’re seeing packets that have their target or source port as 1234 or 4321 and packets that have their target or source IP as 12.12.12.12
Now let’s specify the target IP and port.

ngrep -d wlan0 port 4444 and src 192.168.1.212 and dst 192.168.1.54

We’re seeing packets going to 192.168.1.54 from 192.168.1.212 on 4444. port.
Now let’s look at packets that have their source as 192.168.1.212 but don’t have their target as 192.168.1.54

ngrep -d wlan0 port 54321 and src 192.168.1.212 and dst not 192.168.1.54
Text says “I am here 🙂 “

Recording the Traffic

ngrep -0 /root/http.dump -d any port http

If you pay attention, I wrote http in the port section. You can search a port as a service and not only as a number.

Example Print:

You can open previously recorded traffic using the command below:

ngrep -I file_name

Good Luck!

LEAVE A RESPONSE

Your email address will not be published. Required fields are marked *

Melisa Ayşe Demirel
KernelBlog.org | Author - Translator