Tag Archives: network analysis

Using ngrep

Leave a reply

From the man page, “ngrep  strives  to provide most of GNU grep’s common features, applying them to the network layer.  ngrep is a pcap-aware tool that will allow you  to specify extended regular expressions to match against data pay?loads of packets.  It currently recognizes TCP,  UDP  and  ICMP  across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common  packet  sniffing  tools, such as tcpdump(8) and snoop(1).”

Perhaps the most significant difference between ngrep and tcpdump is that ngrep can analyze packet payloads whereas tcpdump only looks at packet headers and such.

ngrep is incredibly powerful and useful in finding out what’s happening on your network. The best way to show you want ngrep can do and how it’s done is by example. See some below.

Watching all traffic on the default interface:

ngrep -itq -W byline

Watching all traffic on eth1:

ngrep -d eth1 -itq -W byline

Watching all traffic on the default interface while searching for the string “testing”.

ngrep -itq -W byline testing

Watching all traffic on the default interface originating from 192.168.1.1:

ngrep -itq -W byline src 192.168.1.1

Watching all traffic on the default interface destined for 192.168.1.2:

ngrep -itq -W byline dst 192.168.1.2

Watching all traffic on the default interface with the gateway of 192.168.1.100

ngrep -itq -W byline gateway 192.168.1.100

See more examples at http://ngrep.sourceforge.net/usage.html

Also check the man page for many more neat possibilities.

Using tcpdump

Leave a reply

tcpdump is an advanced command-line based packet sniffer. It is another one of those standard Unix utilities that really comes in handy when troubleshooting (it has greatly helped me many times) network issues and can teach you a good bit on how networking works.

tcpdump is installed on most Unix machines. If not, you can easily get it using the system’s package manager (i.e. up2date tcpdump, yum install tcpdump, or apt-get install tcpdump).

Also, you’ll probably need to be the root user when running tcpdump.

From the man page: “Tcpdump  prints  out a description of the contents of packets on a network interface that match the boolean expression.”

Here, we’ll go over some basic operations and brifly explain them.

The most simple operation is probably:

tcpdump -i eth0

Where the i argument specifies the interface to listen on, which is in this case, eth0. This type of scan is very broad and basically says, “report all traffic passing though eth0.” So using tcpdump like this we can see everything on all ports going to or from our local machine on eth0.

That’s pretty nice but to make tcpdump really useful, we need more:

tcpdump -i eth0 host hostname.domain.com

With the above line, we can see the same traffic but filtered by host. In this case we’d be seeing traffic to and from hostname.domain.com on all ports of eth0. You can use IP addresses instead of host names as well.

But what if we’re only interested in one port? Then:

tcpdump -i eth0 host hostname.domain.com and port 21

or

tcpdump eth0 host hostname.domain.com and port ftp

But what if we’re interested in all ports except one port?! Then:

tcpdump -i eth0 host hostname.domain.com not port 22

The above line might be useful if you are ssh’d into a machine you want to see traffic on — the ssh traffic would really muddy the output unless you filtered it out.

You can also get even more fine-grained and fancy by doing something like

tcpdump -i eth0 host src hostname.domain.com and dst host2.domain.com and port 21

As you probably guessed, src means observe data sent from the specified node and dst means observe data recieved by the specified node.

In troubleshooting, it’s often helpful to see the link-level headers, which includes MAC addresses of those in on the conversation (-e argument). I usually also put the verbosity at -v or -vv (even more verbosity for the -vv option). So a line with those options might look like this:

tcpdump -vv -e -i eth0 host hostname.domain.com

Sometimes, you will need to save the output of tcpdump to a file. This is easy since you can do all the usual Unix operations with tcpdump:

tcpdump -i eth0 host hostname.domain.com > filename

You can use grep as well:

tcpdump -i eth0 host hostname.domain.com | grep expression > filename

Using the -w argument is another way of writing output to a file.

Hopefully that is a good start. There are many more options and uses for this outstanding networking staple. Experiment and check the man page to see lots of other really cool stuff.

The tcpdump man page and http://www.hep.ucl.ac.uk/~ytl/monitoring/tcpdump_01.html were used as reference for writing this article.

Note: tcpdump only displays information about packets and traffic and packet headers. To see packet payloads, try tcpflow or wireshark.