{"id":921,"date":"2010-07-31T15:25:29","date_gmt":"2010-07-31T14:25:29","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=921"},"modified":"2010-07-31T15:27:30","modified_gmt":"2010-07-31T14:27:30","slug":"using-network-grep-ngrep-exe-to-capture-traffic","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=921","title":{"rendered":"Using Network Grep (ngrep.exe) to Capture Traffic. (Filter on Payload!)"},"content":{"rendered":"<p>ngrep is a &#8220;network grep&#8221; utility that can be used to match regular expressions within network packet payloads. This is a very handy utility as many network analysers (&#8220;packet sniffers&#8221;) can examine the packet header, but either do not display or cannot filter based on packet payload.<!--more--><\/p>\n<p><span style=\"font-style: italic;\">ngrep<\/span> is available from <a href=\"http:\/\/ngrep.sourceforge.net\/\">http:\/\/ngrep.sourceforge.net\/<\/a>. The UNIX version requires <span style=\"font-style: italic;\">libpcap<\/span>, installed as part of <span style=\"font-style: italic;\">tcpdump<\/span> (<a href=\"http:\/\/www.tcpdump.org\/\">http:\/\/www.tcpdump.org\/<\/a>). The Windows version requires <a href=\"http:\/\/winpcap.polito.it\/\">WinPcap<\/a>.<\/p>\n<p><strong>Quick Example:<\/strong><\/p>\n<p>1. LIST INTERFACES:\u00a0 (or, show the winpcap device list index)<\/p>\n<p>C:\\desktop\\ngrep\\Release&gt;ngrep -L<br \/>\nidx\u00a0\u00a0\u00a0\u00a0 dev<br \/>\n&#8212;\u00a0\u00a0\u00a0\u00a0 &#8212;<br \/>\n1:\u00a0\u00a0\u00a0\u00a0 \\Device\\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)<br \/>\n2:\u00a0\u00a0\u00a0\u00a0 \\Device\\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (Vigor540 Wireless LAN Adapter (Microsoft&#8217;s Packet Scheduler) )<br \/>\n3:\u00a0\u00a0\u00a0\u00a0 \\Device\\NPF_{8C388944-83DB-46F7-879B-C6D05D50BB55} (SiS NIC SISNIC (Microsoft&#8217;s Packet Scheduler) )<br \/>\n4:\u00a0\u00a0\u00a0\u00a0 \\Device\\NPF_{24A8FB22-81F4-489A-875E-229E7CAF928C} (MS Tunnel InterfaceDriver)<br \/>\nexit<\/p>\n<p>C:\\desktop\\ngrep\\-bin\\Release&gt;<\/p>\n<p>2. SIMPLE CAPTURE OF HTTP (port 80) TRAFFIC with &#8220;Cisco&#8221; in the text:<\/p>\n<p>C:\\desktop\\ngrep\\Release&gt;ngrep -d 2 &#8220;Cisco&#8221; port 80 interface: \\Device\\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (10.10.0.0\/255.255<br \/>\n.0.0)<br \/>\nfilter: (ip or ip6) and ( port 80 )<br \/>\n#################exit<br \/>\n20 received, 0 dropped<\/p>\n<p>(Ctrl-C)<\/p>\n<p>C:\\desktop\\ngrep\\Release&gt;<\/p>\n<p>By default behaviour of ngrep is to output a hash (#) for every packet it<\/p>\n<p>received.\u00a0 This may be suppressed with the -q argument.<\/p>\n<p>Another parameter &#8220;-W byline&#8221; will formats the output into legible text.\u00a0 Options<\/p>\n<p>for -W are: normal, byline, single, none.<\/p>\n<p>ngrep -d 2 -q -W byline &#8220;Cisco&#8221; port 80<\/p>\n<p>C:\\desktop\\ngrep\\Release&gt;ngrep -d 2 -q -W byline &#8220;Cisco&#8221; port 80<\/p>\n<p>interface: \\Device\\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (10.10.0.0\/255.255<br \/>\n.0.0)<br \/>\nfilter: (ip or ip6) and ( port 80 )<br \/>\nmatch: Cisco<\/p>\n<p>T 10.10.0.100:1953 -&gt; 88.221.208.170:80 [A]<br \/>\nGET \/swa\/j\/zag2_vs_log1.asc?Log=1&amp;link=http%3A\/\/www.cisco.com\/en\/US\/netsol\/ns100<br \/>\n7\/&amp;lpos=N1&amp;linktext=Collaboration&amp;title=Cisco%20Systems,%20Inc&amp;basepage=http:\/\/w<br \/>\nww.cisco.com\/&amp;eventtype=click&amp;cb=1273908654832 HTTP\/1.1.<br \/>\nHost: www.cisco.com.<br \/>\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko\/20<br \/>\n100401 Firefox\/3.6.3.<br \/>\nAccept: image\/png,image\/*;q=0.8,*\/*;q=0.5.<br \/>\nAccept-Language: en-gb,en;q=0.5.<br \/>\nAccept-Encoding: gzip,deflate.<br \/>\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.<br \/>\nKeep-Alive: 115.<br \/>\nConnection: keep-alive.<br \/>\nReferer: http:\/\/www.cisco.com\/.<br \/>\nCookie: CP_GUTC=80.42.17.87.1257352846721777; trackEvent={&#8216;prevacct&#8217;:&#8217;cisco-us,c<br \/>\nisco-ussolenterprise&#8217;,&#8217;accesslevel&#8217;:&#8217;guest&#8217;,&#8217;ts&#8217;:&#8217;1273863082299&#8242;}; SMIDENTITY=G+<br \/>\nLfDvpE+aBEix5gmn\/uRgvufIB5SETOMAY3kC3s7jBgE8kqpeqvIHmPXb+mlTwFmKZ+OvGHbza7\/x3EJQ<br \/>\nF5HnCnxpeYYNAoWZqQbje0sb1EzyCZ+B5dqynnn7fxLwJcc94nKwfvnEC6pRuSJzJlg\/qcs1Lmk5KYqX<br \/>\nQjObCCCE1zENdqLR5nZ2sirW35iOOiRK9ULKH8ZNViSy\/KjzIpoeu6604ldAaiUwp25HbE2iFJGEyNRz<br \/>\nojk4fNI8PQvUwZXx0lkjTRB9sw1MtmwlJl20ZdP2+dz9gEwf8tKxv59hU96qxLFyi03TXsT0EdpMlw29<br \/>\nPi3q3kXvJrljszOcnthXu5UmEjI1iJDIWHLgWl\/XrKL+OJZ+7N8s0fSb5OpnToDsF5wLgUKpq7mOq8tG<br \/>\nEjKBu2d9voy2YVKfiEJAlZ0nPaJYeXMeDIIgpzap\/wd20XlsmpYNMFuybG2BhYF2N0gAMcoTx69G9VrX<br \/>\n8LZPI+CbIE488CnDH988WTB1LNFkdN\/ReXYU7arWtrtcbHqhEqZ4<\/p>\n<p>&lt;!&#8211; ***End Language Selector*** &#8211;&gt;<br \/>\n&lt;!&#8211; ***END REGION NAME AND LANGUAGE*** &#8211;&gt;<\/p>\n<p>&lt;!&#8211; ***ENTITLEMENT*** &#8211;&gt;<br \/>\n&lt;!&#8211; ***Guest Secondary Nav*** &#8211;&gt;<br \/>\n&lt;a href=&#8221;http:\/\/www.cisco.com\/cgi-bin\/login&#8221;&gt;Log I<br \/>\nn&lt;\/A&gt;<br \/>\n&lt;span&gt;|&lt;\/SPAN&gt;&lt;a href=&#8221;http:\/\/tools.cisco<br \/>\n.com\/RPF\/register\/register.do&#8221;&gt;Register&lt;\/A&gt;<br \/>\n&lt;span&gt;|&lt;\/SPAN&gt;<\/p>\n<p>&lt;!<br \/>\n&lt;div&gt;<br \/>\n&lt;a name=&#8221;search&#8221;&gt;&lt;\/A&gt;<br \/>\n&lt;form method=&#8221;get&#8221; action=&#8221;\/pcgi-bin\/search\/search.pl&#8221; name=&#8221;sit<br \/>\newidesearch&#8221;&gt;<br \/>\n&lt;input onfocus=&#8221;checkClear(this,&#8217;Search &#8216;)&#8221; value=&#8221;Search &#8221; id=&#8221;<br \/>\nsearchPhrase&#8221; name=&#8221;searchPhrase&#8221; type=&#8221;text&#8221; tabindex=&#8221;1&#8243; \/&gt;&lt;input src=&#8221;http:\/\/<br \/>\nwww.cisco.com\/web\/fw\/i\/btn_go.gif&#8221; id=&#8221;go&#8221; alt=&#8221;Go&#8221; type=&#8221;image&#8221;\u00a0 tabindex=&#8221;2&#8243; \/<br \/>\n&gt;&lt;br \/&gt;<\/p>\n<p>(Ctrl-C)<\/p>\n<p>C:\\desktop\\ngrep\\Release&gt;ngrep -d 2 -q -W byline &#8220;Cisco&#8221; port 80<br \/>\ninterface: \\Device\\NPF_{A8E544C2-31CB-4957-8C56-B0C814481170} (10.10.0.0\/255.255<br \/>\n.0.0)<br \/>\nfilter: (ip or ip6) and ( port 80 )<br \/>\nmatch: Cisco<\/p>\n<p>T 10.10.0.100:1977 -&gt; 88.221.208.170:80 [A]<br \/>\nGET \/now\/poweredby\/flashtag.txt?Log=1&amp;vs_imgsrc=&amp;vs_linktext=Business%20Video&amp;vs<br \/>\n_linkname=&amp;vs_event=click&amp;vs_title=Collaboration%20-%20Cisco%20Systems&amp;vs_basepa<br \/>\nge=http:\/\/www.cisco.com\/en\/US\/netsol\/ns1007\/&amp;cb=1273908693869 HTTP\/1.1.<br \/>\nHost: www.cisco.com.<br \/>\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.3) Gecko\/20<br \/>\n100401 Firefox\/3.6.3.<br \/>\nAccept: image\/png,image\/*;q=0.8,*\/*;q=0.5.<br \/>\nAccept-Language: en-gb,en;q=0.5.<br \/>\nAccept-Encoding: gzip,deflate.<br \/>\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.<br \/>\nKeep-Alive: 115.<br \/>\nConnection: keep-alive.<br \/>\nReferer: http:\/\/www.cisco.com\/en\/US\/netsol\/ns1007\/.<br \/>\nCookie: CP_GUTC=80.42.17.87.1257352846721777; trackEvent={&#8216;prevacct&#8217;:&#8217;cisco-us&#8217;,<br \/>\n&#8216;accesslevel&#8217;:&#8217;guest&#8217;,&#8217;ts&#8217;:&#8217;1273908659895&#8242;}; SMIDENTITY=G+LfDvpE+aBEix5gmn\/uRgvu<br \/>\nfIB5SETOMAY3kC3s7jBgE8kqpeqvIHmPXb+mlTwFmKZ+OvGHbza7\/x3EJQF5HnCnxpeYYNAoWZqQbje0<br \/>\nsb1EzyCZ+B5dqynnn7fxLwJcc94nKwfvnEC6pRuSJzJlg\/qcs1Lmk5KYqXQjObCCCE1zENdqLR5nZ2si<br \/>\nrW35iOOiRK9ULKH8ZNViSy\/KjzIpoeu6604ldAaiUwp25HbE2iFJGEyNRzojk4fNI8PQvUwZXx0lkjTR<br \/>\nB9sw1MtmwlJl20ZdP2+dz9gEwf8tKxv59hU96qxLFyi03TXsT0EdpMlw29Pi3q3kXvJrljszOcnthXu5<br \/>\nUmEjI1iJDIWHLgWl\/XrKL+OJZ+7N8s0fSb5OpnToDsF5wLgUKpq7mOq8tGEjKBu2d9voy2YVKfiEJAlZ<br \/>\n0nPaJYeXMeDIIgpzap\/wd20XlsmpYNMFuybG2BhYF2N0gAMcoTx69G9VrX8LZPI+CbIE488CnDH988WT<br \/>\nB1LNFkdN\/ReXYU7ar<\/p>\n<p>(Ctrl-C)<\/p>\n<p>C:\\Documents and Settings\\Daren Matthews\\My Documents\\downloads\\ngrep-1.45-win32<br \/>\n-bin\\Release&gt;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ngrep is a &#8220;network grep&#8221; utility that can be used to match regular expressions within network packet payloads. This is a very handy utility as many network analysers (&#8220;packet sniffers&#8221;) can examine the packet header, but either do not display or cannot filter based on packet payload.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[84,10,18],"tags":[4],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/921"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=921"}],"version-history":[{"count":2,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/921\/revisions"}],"predecessor-version":[{"id":972,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/921\/revisions\/972"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=921"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}