Friday, June 09, 2006

Ngrep - Network Traffic Monitoring

Constant monitoring and troubleshooting are key to maintaining a network's availability.

With ngrep, you can analyze network traffic in a manner similar
to that of other network sniffers. However, unlike its brethern,
ngrep can match regular expressions within the network packet payloads.
By using its advanced string matching capabilities, ngrep can look
for packets on specified ports and assist in tracking the usernames
and passwords zipping off the network, as well as all Telnet
attempts to the server.

Ngrep uses the libpcap library, and can also take hexadecimal
expressions for which to capture network traffic. It supports
TCP, UDP, ICMP, IGMP, and Raw protocols across Ethernet,
PPP, SLIP, FDDI, Token Ring, 802.11, and null interfaces.
In addition to listening to live traffic, ngrep can also filter
previous tcpdump grabs.

Author Jordan Ritter says that ngrep has traditionally been
used to debug plaintext protocol interactions such as
HTTP, SMTP, and FTP; to identify and analyze anomalous network communications, such as those between worms, viruses, and
zombies; and to store, read, and reprocess pcap dump files
while looking for specific data patterns.

You can also use ngrep to do the more mundane plaintext
credential collection, as with HTTP basic authentication or
FTP or POP3 authentication. Like all tools, it can be useful
in the right hands and damaging if used by those with less
than admirable intentions.

Before installing the 400-odd KB utility, make sure you have
the libpcap library. If you use tcpdump, you have it.

Although I have installed it through urpmi.


[root@localhost ~]# ngrep -d any port 25

interface: any
filter: (ip) and ( port 25 )
####
T 127.0.0.1:25 -> 127.0.0.1:1938 [AP]
220 localhost ESMTP Postfix (2.2.5) (Mandriva Linux)..
#
#
T 127.0.0.1:1938 -> 127.0.0.1:25 [AP]
quit..
##

T 127.0.0.1:25 -> 127.0.0.1:1938 [AP]
221 Bye..
######exit


This will Monitor all activity crossing source or destination
port 25 (SMTP).


[root@localhost ~]# ngrep -wi -d any 'user|pass' port 21
interface: any
filter: (ip) and ( port 21 )
match: ((^user|pass\W)|(\Wuser|pass$)|(\Wuser|pass\W))
########
T 202.41.9.99:21 -> 10.10.93.220:4472 [AP]
530 Please login with USER and PASS...
##
T 202.41.9.99:21 -> 10.10.93.220:4472 [AP]
530 Please login with USER and PASS...
##
T 10.10.93.220:4472 -> 202.41.9.99:21 [AP]
USER aaa..
###

T 10.10.93.220:4472 -> 202.41.9.99:21 [AP]
PASS aaa123..
######
T 202.41.9.99:21 -> 10.10.93.220:4472 [AP]
530 Please login with USER and PASS...
#######
exit
56 received, 0 dropped

Monitor any traffic crossing source or destination port 21 (FTP),
looking case-insensitively for the words ``user'' or ``pass'',
matched as word-expressions (the match term(s) must have
non-alphanumeric, delimiting characters surrounding them).

[root@localhost ~]# ngrep port 80
interface: eth0 (10.10.93.0/255.255.255.0)
filter: (ip) and ( port 80 )
####
##
T 10.10.93.220:2452 -> 66.102.15.100:80 [AP]


The above will debug http connections

[root@localhost ~]# ngrep -d any 'error' port syslog
interface: any
filter: (ip) and ( port syslog )
match: error

Monitor any network-based syslog traffic for the occurrence
of the word ``error''. ngrep knows how to convert service port
names (on UNIX, located in ``/etc/services'') to port numbers.