| Basic Packet Sniffing | | | Debugging HTTP Interactions | | | Processing PCAP dump files | | | Observing Binary Protocols |
Basic packet sniffing is easy with ngrep. It supports BPF filter
logic, which means to say constraining what ngrep sees and displays is
as easy as saying something like ``ngrep host foo.bar.com and port
25''. Following are a few examples of common invocations of ngrep to
do basic packet sniffing. Please note the usage of ``any'' as the
specified ethernet adaptor to attach to; in most recent UNIX libpcap
implementations this will instruct ngrep to attach to all interfaces
at once, local (lo) and all external interfaces that may be active.
In certain scenarios it is desirous to see how web browsers
communicate with web servers, and to inspect the HTTP headers and
possibly cookie values that they are exchanging.
In this example, we run an ngrep on a webserver. Since it only has
one interface, eth0, we omit specifying the interface manually on the
command line and allow ngrep to choose the default interface for us,
for convenience.
As you can see, all headers and aspects of the HTTP transmission are
exposed in their gory detail. It's a little hard to parse though, so
let's see what happens when ``-W byline'' mode is used:
(Content visually truncated for display purposes.)
``-W byline'' mode tells ngrep to respect embedded line feeds when
they occur. You'll note from the output above that there is still a
trailing dot (``.'') on each line, which is the carriage-return
portion of the CRLF pair. Using this mode, now the output has become
much easier to visually parse.
ngrep -d any port 25
Monitor all activity crossing source or destination port 25 (SMTP).
ngrep -d any 'error' port syslog
Monitor any network-based syslog traffic for the occurrence of the
word ``error''. ngrep knows how to convert service port names (on
UNIX, located in ``/etc/services'') to port numbers.
ngrep -wi -d any 'user|pass' port 21
Monitor any traffic crossing source or destination port 21 (FTP),
looking case-insensitively for the words ``user'' or ``pass'', matched
as word-expressions (the match term(s) must have non-alphanumeric,
delimiting characters surrounding them).
# ngrep port 80
interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42167 -> 64.90.164.74:80 [AP]
GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i
686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat
ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi
f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, *
;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ
MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection:
Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....
##
T 64.90.164.74:80 -> 67.169.59.38:42167 [AP]
HTTP/1.1 200 OK..Date: Mon, 29 Mar 2004 00:44:40 GMT..Server: Apache/2.0.49
(Unix)..Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT..ETag: "210e23-326-f8
200b40"..Accept-Ranges: bytes..Vary: Accept-Encoding,User-Agent..Content-En
coding: gzip..Content-Length: 476..Keep-Alive: timeout=15, max=100..Connect
ion: Keep-Alive..Content-Type: text/html; charset=ISO-8859-1..Content-Langu
age: en..............}S]..0.|...........H...8........@..\....(.....Dw.%.,..
;.k.....Y>q<........d ...........3.i..kdm.u@d{.Q..\....@..B1.0.2YI^..R.....
....X......X..y...\.....,..(........1...g.......*...j..a.`._@.W....0.....?.
.R.K.j..Y.....>...;kw*U.j.<...\0Tn.l.:......>Fs....'....h.'...u.H4..'.6.vID
I.......N.r.O...}...I.w. ...mX...L.s..{.L.R..-...e....~nu..t.3...H..#..J...
.u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m}..>/?..#........I
..I..4.P......2:...n8l.......!.Yr&...
##
# ngrep -W byline port 80
interface: eth0 (64.90.164.72/255.255.255.252)
filter: ip and ( port 80 )
####
T 67.169.59.38:42177 -> 64.90.164.74:80 [AP]
GET / HTTP/1.1.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ...
Host: www.darkridge.com.
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ...
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1.
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0.
Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e.
Cookie2: $Version=1.
Cache-Control: no-cache.
Connection: Keep-Alive, TE.
TE: deflate, gzip, chunked, identity, trailers.
.
##
T 64.90.164.74:80 -> 67.169.59.38:42177 [AP]
HTTP/1.1 200 OK.
Date: Mon, 29 Mar 2004 00:47:25 GMT.
Server: Apache/2.0.49 (Unix).
Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT.
ETag: "210e23-326-f8200b40".
Accept-Ranges: bytes.
Vary: Accept-Encoding,User-Agent.
Content-Encoding: gzip.
Content-Length: 476.
Keep-Alive: timeout=15, max=100.
Connection: Keep-Alive.
Content-Type: text/html; charset=ISO-8859-1.
Content-Language: en.
.
..........}S]..0.|...........H...8........@..\....(.....Dw.%.,..;.k.. ...
.;kw*U.j.<...\0Tn.l.:......>Fs....'....h.'...u.H4..'.6.vIDI.......N.r ...
..H..#..J....u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m ...
####