Monday, June 13, 2005
Monitor network traffic with ngrep
June 13,2005
When it comes to network monitoring, there are a number of available tools out there. However, one tool that administrators often overlook is the network grep (ngrep) tool.
As a network sniffer or monitor, ngrep is very similar in some respects to tcpdump, but it's somewhat different because you can use grep-style syntax to filter what you want.
Ngrep's most basic use is to listen to all traffic on an interface. However, you can extend this quite a bit to narrow down what you're looking for. Ngrep's syntax is similar to that of tcpdump. Here's an example:
$ ngrep port 80 and src host 192.168.5.10 and dst host 192.168.5.100
This monitors all traffic on port 80 from the host 192.168.5.10 to the host 192.168.5.100.
If you're interested in watching Telnet traffic, you can do so using ngrep. You can make it only return traffic that shows a login string by using grep-style syntax. Here's an example:
$ ngrep -q -t -wi "login" port 23
This tells ngrep to look for the string "login" as a word (without case sensitivity) on port 23 for any connection. In this case, ngrep operates in quiet mode so it only prints out matches. In addition, it timestamps them (as designated by the -t option).
Used in conjunction with tcpdump, ngrep can also be very valuable for searching standard pcap dump files to look for patterns. If you have a large dump file from tcpdump, you can use ngrep to examine it by using standard ngrep commands and issuing it an input file with the -I parameter. Here's an example:
$ ngrep -wi "login" port 23 -I /tmp/packet.dump
Vincent Danen, a native Canadian in Edmonton, Alberta, has been using Linux for nearly two years. Vincent obtained his Linux Administrator certification from Tekmetrics.com, and he hopes to tackle the RHCE when it is offered in Canada.
When it comes to network monitoring, there are a number of available tools out there. However, one tool that administrators often overlook is the network grep (ngrep) tool.
As a network sniffer or monitor, ngrep is very similar in some respects to tcpdump, but it's somewhat different because you can use grep-style syntax to filter what you want.
Ngrep's most basic use is to listen to all traffic on an interface. However, you can extend this quite a bit to narrow down what you're looking for. Ngrep's syntax is similar to that of tcpdump. Here's an example:
$ ngrep port 80 and src host 192.168.5.10 and dst host 192.168.5.100
This monitors all traffic on port 80 from the host 192.168.5.10 to the host 192.168.5.100.
If you're interested in watching Telnet traffic, you can do so using ngrep. You can make it only return traffic that shows a login string by using grep-style syntax. Here's an example:
$ ngrep -q -t -wi "login" port 23
This tells ngrep to look for the string "login" as a word (without case sensitivity) on port 23 for any connection. In this case, ngrep operates in quiet mode so it only prints out matches. In addition, it timestamps them (as designated by the -t option).
Used in conjunction with tcpdump, ngrep can also be very valuable for searching standard pcap dump files to look for patterns. If you have a large dump file from tcpdump, you can use ngrep to examine it by using standard ngrep commands and issuing it an input file with the -I parameter. Here's an example:
$ ngrep -wi "login" port 23 -I /tmp/packet.dump
Vincent Danen, a native Canadian in Edmonton, Alberta, has been using Linux for nearly two years. Vincent obtained his Linux Administrator certification from Tekmetrics.com, and he hopes to tackle the RHCE when it is offered in Canada.