Aug 052009
 

If you are a *NIX person then you should probably be aware of the usefulness of GREP utility. GREP is a utility to filter specific text entries from various inputs like a file, console/terminal output in *NIX. ngrep is a free tool which in simple words is a grep tool for network traffic where you can filter specific traffic patterns on any or all interfaces and ports.

ngrep runs on Windows, *NIX, Solaris, MacOS, Free/OpenBSD and many more systems. ngrep on windows relies on WinPCap and can support running it through packet captures using other WinPCap based tools like Ethereal/Wireshark. ngrep currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands basic Packet Filtering logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Install ngrep in Windows

“ngrep” works in Windows Vista, Windows XP, Windows 2003 and earlier versions. To install and use ngrep in Windows, we need to install WinPCap as ngrep relies on it.

Click here to download and install WinPCap on Windows.

Click here to download the ngrep utility. Download and extarct the ngrep.exe file onto your system and run it as an Administrator from a DOS window.

ngrep defaults to the first network interface in the device index. This may not necessarily be the right interface where your traffic passes. Hence, it is important to identify the list of devices in the index with “-L” option as follows:

c:\>ngrep.exe -L
idx     dev
—     —
1:     \Device\NPF_{DDF48BE3-7C70-4583-A809-C11BEBAEB28F} (MS Tunnel Interface Driver)
2:     \Device\NPF_{323FCC86-1FD0-4F23-88EA-E5705DB7D8F0} (Microsoft)
3:     \Device\NPF_{D370EC51-A820-40DA-93E8-AFA854A2AC1B} (Microsoft)
4:     \Device\NPF_{444BE71F-C26C-40D4-8995-721405255893} (Marvell Yukon Ethernet Controller.)
5:     \Device\NPF_{671FC4D9-A8B6-4A7B-A1E1-096D498971A1} (VMware Virtual Ethernet Adapter)
6:     \Device\NPF_{53692B2C-BD05-42C0-BDA6-D68CD25BA1FB} (VMware Virtual Ethernet Adapter)
exit

Here, my Network interface where I connect to the LAN is “4″.

For a simple capture of all HTTP traffic (TCP port 80) on this interface,

c:\>ngrep -d 4  port 80
interface: \Device\NPF_{444BE71F-C26C-40D4-8995-721405255893} (192.168.0.0/255.255.255.0)
filter: (ip or ip6) and ( port 80 )
exit
0 received, 0 dropped

Now, here if you want to filter to any website which has a got a specific text (say WINDOWS) then the following would do:

c:\>ngrep -d 4 “WINDOWS” port 80

For a more practical examples, click here to visit the project website.

For a list of options, run ngrep from the extracted directory with “-h”.

c:\>ngrep.exe -h
usage: ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A nu
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c

<-P char> <-F file> <match expression> <bpf filter>
-h  is help/usage
-V  is version information
-q  is be quiet (don’t print packet reception hash marks)
-e  is show empty packets
-i  is ignore case
-v  is invert match
-R  is don’t do privilege revocation logic
-x  is print in alternate hexdump format
-X  is interpret match expression as hexadecimal
-w  is word-regex (expression must match as a word)
-p  is don’t go into promiscuous mode
-l  is make stdout line buffered
-D  is replay pcap_dumps with their recorded time intervals
-t  is print timestamp every time a packet is matched
-T  is print delta timestamp every time a packet is matched
-M  is don’t do multi-line match (do single-line match instead)
-I  is read packet stream from pcap format file pcap_dump
-O  is dump matched packets in pcap format to pcap_dump
-n  is look at only num packets
-A  is dump num packets after a match
-s  is set the bpf caplen
-S  is set the limitlen on matched packets
-W  is set the dump format (normal, byline, single, none)
-c  is force the column width to the specified size
-P  is set the non-printable display char to what is specified
-F  is read the bpf filter from the specified file
-N  is show sub protocol number
-d  is use specified device (index) instead of the pcap default
-L  is show the winpcap device list index

Incoming search terms:

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>