| Basic Packet Sniffing | | | Debugging HTTP Interactions | | | Processing PCAP dump files | | | Observing Binary Protocols |
Basic packet sniffing is easy with ngrep. It supports BPF filter logic, which
means to say constraining what ngrep sees and displays is as easy as saying
something like ``ngrep host foo.bar.com and port 25''. Following are a few
examples of common invocations of ngrep to do basic packet sniffing. Please note
the usage of ``any'' as the specified ethernet adaptor to attach to; in most
recent UNIX libpcap implementations this will instruct ngrep to attach to all
interfaces at once, local (lo) and all external interfaces that may be active.
In certain scenarios it is desirous to see how web browsers communicate with
web servers, and to inspect the HTTP headers and possibly cookie values that
they are exchanging.
In this example, we run an ngrep on a webserver. Since it only has one
interface, eth0, we omit specifying the interface manually on the command line
and allow ngrep to choose the default interface for us, for convenience.
As you can see, all headers and aspects of the HTTP transmission are exposed
in their gory detail. It's a little hard to parse though, so let's see what
happens when ``-W byline'' mode is used: (Content visually truncated for display purposes.)
``-W byline'' mode tells ngrep to respect embedded line feeds when they
occur. You'll note from the output above that there is still a trailing dot
(``.'') on each line, which is the carriage-return portion of the CRLF pair.
Using this mode, now the output has become much easier to visually parse.
ngrep -d any port 25
Monitor all activity crossing source or
destination port 25 (SMTP).
ngrep -d any 'error' port syslog
Monitor any network-based syslog
traffic for the occurrence of the word ``error''. ngrep knows how to convert
service port names (on UNIX, located in ``/etc/services'') to port numbers.
ngrep -wi -d any 'user|pass' port 21
Monitor any traffic crossing
source or destination port 21 (FTP), looking case-insensitively for the words
``user'' or ``pass'', matched as word-expressions (the match term(s) must have
non-alphanumeric, delimiting characters surrounding them).
# ngrep port 80
interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42167 -> 64.90.164.74:80 [AP]
GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i
686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat
ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi
f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, *
;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ
MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection:
Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....
##
T 64.90.164.74:80 -> 67.169.59.38:42167 [AP]
HTTP/1.1 200 OK..Date: Mon, 29 Mar 2004 00:44:40 GMT..Server: Apache/2.0.49
(Unix)..Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT..ETag: "210e23-326-f8
200b40"..Accept-Ranges: bytes..Vary: Accept-Encoding,User-Agent..Content-En
coding: gzip..Content-Length: 476..Keep-Alive: timeout=15, max=100..Connect
ion: Keep-Alive..Content-Type: text/html; charset=ISO-8859-1..Content-Langu
age: en..............}S]..0.|...........H...8........@..\....(.....Dw.%.,..
;.k.....Y>q<........d ...........3.i..kdm.u@d{.Q..\....@..B1.0.2YI^..R.....
....X......X..y...\.....,..(........1...g.......*...j..a.`._@.W....0.....?.
.R.K.j..Y.....>...;kw*U.j.<...\0Tn.l.:......>Fs....'....h.'...u.H4..'.6.vID
I.......N.r.O...}...I.w. ...mX...L.s..{.L.R..-...e....~nu..t.3...H..#..J...
.u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m}..>/?..#........I
..I..4.P......2:...n8l.......!.Yr&...
##
# ngrep -W byline port 80
interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42177 -> 64.90.164.74:80 [AP]
GET / HTTP/1.1.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ...
Host: www.darkridge.com.
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ...
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1.
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0.
Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e.
Cookie2: $Version=1.
Cache-Control: no-cache.
Connection: Keep-Alive, TE.
TE: deflate, gzip, chunked, identity, trailers.
.
##
T 64.90.164.74:80 -> 67.169.59.38:42177 [AP]
HTTP/1.1 200 OK.
Date: Mon, 29 Mar 2004 00:47:25 GMT.
Server: Apache/2.0.49 (Unix).
Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT.
ETag: "210e23-326-f8200b40".
Accept-Ranges: bytes.
Vary: Accept-Encoding,User-Agent.
Content-Encoding: gzip.
Content-Length: 476.
Keep-Alive: timeout=15, max=100.
Connection: Keep-Alive.
Content-Type: text/html; charset=ISO-8859-1.
Content-Language: en.
.
..........}S]..0.|...........H...8........@..\....(.....Dw.%.,..;.k.. ...
.;kw*U.j.<...\0Tn.l.:......>Fs....'....h.'...u.H4..'.6.vIDI.......N.r ...
..H..#..J....u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m ...
####