Linux Commands

What is ngrep and How to Use It?

Even though tshark and tcpdump are the most popular packet sniffing tools that dig down to the level of bits and bytes of the traffic. ngrep is another command-line nix utility that analyzes network packets and searches for them on a given regex pattern.

The utility uses pcap and GNU library to perform regex string searches. ngrep stands for Network grep that is similar to the regular grep utility. The only difference is that ngrep parses text in network packets by using regular or hexadecimal expressions.

In this article, we learn about a command-line, feature-rich utility known as ngrep that is handy for quick PCAP analysis and packet dumping.

Introduction

ngrep provides grep-like capabilities for the third layer of the OSI model, that is, currently, the tool works with IPv4/6, TCP, UDP, ICMPv4/6, IGMP protocols. Hence, the utility recognizes various protocols, captures live traffic, and examines captured pcap files. The best advantage of the ngrep utility is that a regular grep user can use his text parsing knowledge in ngrep.

Getting Started

Update the Ubuntu repository and install ngrep utility via apt-get package management tool:

ubuntu@ubuntu:~$ sudo apt-get update
ubuntu@ubuntu:~$ sudo apt-get install ngrep

The tool requires sudo-privileges to run deep packet inspection commands. Whereas the general tool syntax is as follows:

ubuntu@ubuntu:~$ ngrep <options> pattern/expression <filter>

The patterns are the regular expression users search for in a network packet. The filter option indicates Berkeley packet filter (BPF) that includes a series of keywords to specify packet selection rules. The keywords include protocol, source, or destination host, and ports, etc.

Capture Packets

No filter option captures all packets from the default interface, for instance, the following command will capture all network packets from all the interfaces.

ubuntu@ubuntu:~$ sudo ngrep

To list all the available interfaces, use the following command and press TAB multiple times to output all interfaces:

ubuntu@ubuntu:~$ sudo ngrep -d [TAB] [TAB]
enp0s3 lo

Basic Usage

The output to the above command shows loads of packet details on the terminal. ngrep offers a quiet “-q” option that queries all the interfaces and protocols for a specific string match, quiets the output, and only prints packet header details of relevant payload.

ubuntu@ubuntu:~$ sudo ngrep -q
[sudo] password for ubuntu:
interface: enp0s3 (10.0.2.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))

T 10.0.2.15:35524 -> 142.250.180.46:443 [AP] #1
  ...."7c.X]e.Nu...m.'.U.....&....u.%z...                                                                                                                            
T 10.0.2.15:35524 -> 142.250.180.46:443 [AP] #2
  ......h..'.@aQ?aN}.'K...                                                                                                                                          
T 142.250.180.46:443 -> 10.0.2.15:35524 [A] #4
  ......

The above command with the ‘HTTP’ string displays/catches packets with the searched string.

ubuntu@ubuntu:~$ sudo ngrep -q 'HTTP'

Add the t flag in the above command to print a timestamp with the match information in the YYYY/MM/DD HH:MM:SS.UUUUUU format. Similarly, using the T flag will print elapsed time between immediate matches and timestamps in +S.UUUUUU format.

ubuntu@ubuntu:~$ sudo ngrep -qt 'HTTP'

ubuntu@ubuntu:~$ sudo ngrep -qT 'HTTP'
interface: enp0s3 (10.0.2.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))
match: HTTP
T +24.714768 10.0.2.15:48096 -> 142.250.185.35:80 [AP] #1453
  POST /gts1o1core HTTP/1.1..Host: ocsp.pki.goog..User-Agent: Mozilla/5.0

Use the -W option with a byline flag to print output in an easy-to-understand and legible format.

ubuntu@ubuntu:~$ sudo ngrep -q -Wbyline 'HTTP'
T 10.0.2.15:48570 -> 142.250.185.35:80 [AP] #589
POST /gts1o1core HTTP/1.1.
Host: ocsp.pki.goog.
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0.
Accept: */*.
Accept-Language: en-US,en;q=0.5.
Accept-Encoding: gzip, deflate.
Content-Type: application/ocsp-request.
Content-Length: 83.
Connection: keep-alive.

ngrep saves the captured network traffic in a pcap format that can be uploaded to Wireshark for deeper packet analysis. Use the -O option to write the searched output to a pcap file:

ubuntu@ubuntu:~$ ngrep -O http_capture.pcap -qt 'HTTP'

Just like any other network sniffing tools, ngrep allows reading saved network traffic such that the -qt option helps to filter the captured traffic instead of an interface.

ubuntu@ubuntu:~$ ngrep -I http_capture.pcap -qt 'HTTP'

BPF Filters

BPF includes rich syntax to filter packets based on IP address, ports, and protocols. The following commands search the traffic for TCP and UDP packets:

ubuntu@ubuntu:~$ ngrep -W byline 'HTTP' 'tcp'

ubuntu@ubuntu:~$ ngrep -W byline 'HTTP' 'udp'

To filter all the packets on the enp0s3 interface for port 80, run the following command:

ubuntu@ubuntu:~$ ngrep -d enp0s3 -W byline port 80

Similarly, use the given below commands to match the headers containing HTTP string from destination and source host:

ubuntu@ubuntu:~$ ngrep -q 'HTTP' 'dst host 172.217'

ubuntu@ubuntu:~$ ngrep -q 'HTTP' 'src host '10.0'

Lastly, the following command with a host filter matches all headers from the “10.0.2” ip address.

ubuntu@ubuntu:~$ ngrep -q 'HTTP' 'host 10.0.2'

String-based Network Packet Search

The ngrep utility can combine the above commands to search TCP packets on port 80 for a specific string of ‘User-Agent’.

ubuntu@ubuntu:~$ sudo ngrep -d enp0s3 -W byline -i "User-Agent:" tcp and port 80

where -i option ignores the case for regex expression.

Similarly, the below command displays all the packets on port 80 with the GET or POST string.

ubuntu@ubuntu:~sudo ngrep -d enp0s3 -i "^GET|^POST" tcp and port 80
interface: enp0s3 (10.0.2.0/255.255.255.0)
filter: ( tcp and port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: ^GET|^POST
#######
T 10.0.2.15:59876 -> 34.122.121.32:80 [AP] #7
  GET / HTTP/1.1..Host: connectivity-check.ubuntu.com..Accept:
###########
T 10.0.2.15:48634 -> 34.107.221.82:80 [AP] #18
  GET /success.txt HTTP/1.1..Host: detectportal.firefox.com..User-Agent: Mozilla/5.0
#######

Conclusion

The article introduces ngrep, a packet sniffing tool that parses traffic using regular expressions. We discuss and cover all the basics to advance ngrep commands and options that facilitate network administrators in their day-to-day tasks.

About the author

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14