Using Network Grep (ngrep.exe) to Capture Traffic. (Filter on Payload!)
ngrep is a “network grep” utility that can be used to match regular expressions within network packet payloads. This is a very handy utility as many network analysers (“packet sniffers”) can examine the packet header, but either do not display or cannot filter based on packet payload.
ngrep is available from http://ngrep.sourceforge.net/. The UNIX version requires libpcap, installed as part of tcpdump (http://www.tcpdump.org/). The Windows version requires WinPcap.
Quick Example:
1. LIST INTERFACES: (or, show the winpcap device list index)
C:\desktop\ngrep\Release>ngrep -L
idx dev
— —
1: \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2: \Device\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (Vigor540 Wireless LAN Adapter (Microsoft’s Packet Scheduler) )
3: \Device\NPF_{8C388944-83DB-46F7-879B-C6D05D50BB55} (SiS NIC SISNIC (Microsoft’s Packet Scheduler) )
4: \Device\NPF_{24A8FB22-81F4-489A-875E-229E7CAF928C} (MS Tunnel InterfaceDriver)
exit
C:\desktop\ngrep\-bin\Release>
2. SIMPLE CAPTURE OF HTTP (port 80) TRAFFIC with “Cisco” in the text:
C:\desktop\ngrep\Release>ngrep -d 2 “Cisco” port 80 interface: \Device\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (10.10.0.0/255.255
.0.0)
filter: (ip or ip6) and ( port 80 )
#################exit
20 received, 0 dropped
(Ctrl-C)
C:\desktop\ngrep\Release>
By default behaviour of ngrep is to output a hash (#) for every packet it
received. This may be suppressed with the -q argument.
Another parameter “-W byline” will formats the output into legible text. Options
for -W are: normal, byline, single, none.
ngrep -d 2 -q -W byline “Cisco” port 80
C:\desktop\ngrep\Release>ngrep -d 2 -q -W byline “Cisco” port 80
interface: \Device\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (10.10.0.0/255.255
.0.0)
filter: (ip or ip6) and ( port 80 )
match: Cisco
T 10.10.0.100:1953 -> 88.221.208.170:80 [A]
GET /swa/j/zag2_vs_log1.asc?Log=1&link=http%3A//www.cisco.com/en/US/netsol/ns100
7/&lpos=N1&linktext=Collaboration&title=Cisco%20Systems,%20Inc&basepage=http://w
ww.cisco.com/&eventtype=click&cb=1273908654832 HTTP/1.1.
Host: www.cisco.com.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko/20
100401 Firefox/3.6.3.
Accept: image/png,image/*;q=0.8,*/*;q=0.5.
Accept-Language: en-gb,en;q=0.5.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 115.
Connection: keep-alive.
Referer: http://www.cisco.com/.
Cookie: CP_GUTC=80.42.17.87.1257352846721777; trackEvent={‘prevacct’:’cisco-us,c
isco-ussolenterprise’,’accesslevel’:’guest’,’ts’:’1273863082299′}; SMIDENTITY=G+
LfDvpE+aBEix5gmn/uRgvufIB5SETOMAY3kC3s7jBgE8kqpeqvIHmPXb+mlTwFmKZ+OvGHbza7/x3EJQ
F5HnCnxpeYYNAoWZqQbje0sb1EzyCZ+B5dqynnn7fxLwJcc94nKwfvnEC6pRuSJzJlg/qcs1Lmk5KYqX
QjObCCCE1zENdqLR5nZ2sirW35iOOiRK9ULKH8ZNViSy/KjzIpoeu6604ldAaiUwp25HbE2iFJGEyNRz
ojk4fNI8PQvUwZXx0lkjTRB9sw1MtmwlJl20ZdP2+dz9gEwf8tKxv59hU96qxLFyi03TXsT0EdpMlw29
Pi3q3kXvJrljszOcnthXu5UmEjI1iJDIWHLgWl/XrKL+OJZ+7N8s0fSb5OpnToDsF5wLgUKpq7mOq8tG
EjKBu2d9voy2YVKfiEJAlZ0nPaJYeXMeDIIgpzap/wd20XlsmpYNMFuybG2BhYF2N0gAMcoTx69G9VrX
8LZPI+CbIE488CnDH988WTB1LNFkdN/ReXYU7arWtrtcbHqhEqZ4
<!– ***End Language Selector*** –>
<!– ***END REGION NAME AND LANGUAGE*** –>
<!– ***ENTITLEMENT*** –>
<!– ***Guest Secondary Nav*** –>
<a href=”http://www.cisco.com/cgi-bin/login”>Log I
n</A>
<span>|</SPAN><a href=”http://tools.cisco
.com/RPF/register/register.do”>Register</A>
<span>|</SPAN>
<!
<div>
<a name=”search”></A>
<form method=”get” action=”/pcgi-bin/search/search.pl” name=”sit
ewidesearch”>
<input onfocus=”checkClear(this,’Search ‘)” value=”Search ” id=”
searchPhrase” name=”searchPhrase” type=”text” tabindex=”1″ /><input src=”http://
www.cisco.com/web/fw/i/btn_go.gif” id=”go” alt=”Go” type=”image” tabindex=”2″ /
><br />
(Ctrl-C)
C:\desktop\ngrep\Release>ngrep -d 2 -q -W byline “Cisco” port 80
interface: \Device\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (10.10.0.0/255.255
.0.0)
filter: (ip or ip6) and ( port 80 )
match: Cisco
T 10.10.0.100:1977 -> 88.221.208.170:80 [A]
GET /now/poweredby/flashtag.txt?Log=1&vs_imgsrc=&vs_linktext=Business%20Video&vs
_linkname=&vs_event=click&vs_title=Collaboration%20-%20Cisco%20Systems&vs_basepa
ge=http://www.cisco.com/en/US/netsol/ns1007/&cb=1273908693869 HTTP/1.1.
Host: www.cisco.com.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko/20
100401 Firefox/3.6.3.
Accept: image/png,image/*;q=0.8,*/*;q=0.5.
Accept-Language: en-gb,en;q=0.5.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 115.
Connection: keep-alive.
Referer: http://www.cisco.com/en/US/netsol/ns1007/.
Cookie: CP_GUTC=80.42.17.87.1257352846721777; trackEvent={‘prevacct’:’cisco-us’,
‘accesslevel’:’guest’,’ts’:’1273908659895′}; SMIDENTITY=G+LfDvpE+aBEix5gmn/uRgvu
fIB5SETOMAY3kC3s7jBgE8kqpeqvIHmPXb+mlTwFmKZ+OvGHbza7/x3EJQF5HnCnxpeYYNAoWZqQbje0
sb1EzyCZ+B5dqynnn7fxLwJcc94nKwfvnEC6pRuSJzJlg/qcs1Lmk5KYqXQjObCCCE1zENdqLR5nZ2si
rW35iOOiRK9ULKH8ZNViSy/KjzIpoeu6604ldAaiUwp25HbE2iFJGEyNRzojk4fNI8PQvUwZXx0lkjTR
B9sw1MtmwlJl20ZdP2+dz9gEwf8tKxv59hU96qxLFyi03TXsT0EdpMlw29Pi3q3kXvJrljszOcnthXu5
UmEjI1iJDIWHLgWl/XrKL+OJZ+7N8s0fSb5OpnToDsF5wLgUKpq7mOq8tGEjKBu2d9voy2YVKfiEJAlZ
0nPaJYeXMeDIIgpzap/wd20XlsmpYNMFuybG2BhYF2N0gAMcoTx69G9VrX8LZPI+CbIE488CnDH988WT
B1LNFkdN/ReXYU7ar
(Ctrl-C)
C:\Documents and Settings\Daren Matthews\My Documents\downloads\ngrep-1.45-win32
-bin\Release>
