Results 1 to 4 of 4
  1. #1
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    4,588

    Default How to install ngrep

    Hi,
    I needed away to in real time watch my network traffic.
    jnettop is ok but if you want to filter or do some more advance things ngrep is a nice tool.

    ngrep is a piece of software which is designed to mirror the standard pattern matching utility grep, although instead of matching patterns against text files it matches traffic passing over a network interface.
    Installation:

    Edit:
    Code:
    /etc/apt/sources.list
    
    (uncomment or add)
    deb http://security.debian.org lenny/updates main contrib non-free
    deb http://ftp.debian.org/debian lenny main contrib non-free
    In terminal or SSH
    run
    Code:
    apt-get update
    wait until the update is done. then run
    Code:
    apt-get install ngrep
    After the installation is done.
    Edit:
    Code:
    /etc/apt/sources.list
    Remove or add # infront of:
    Code:
    deb http://security.debian.org lenny/updates main contrib non-free
    deb http://ftp.debian.org/debian lenny main contrib non-free
    Then run
    Code:
    apt-get update
    (verify that it only goes to updates.untangle.com)

    Now you have ngrep installd.

    What can you do then?

    usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
    <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
    <-P char> <-F file> <match expression> <bpf filter>
    -h is help/usage
    -V is version information
    -q is be quiet (don't print packet reception hash marks)
    -e is show empty packets
    -i is ignore case
    -v is invert match
    -R is don't do privilege revocation logic
    -x is print in alternate hexdump format
    -X is interpret match expression as hexadecimal
    -w is word-regex (expression must match as a word)
    -p is don't go into promiscuous mode
    -l is make stdout line buffered
    -D is replay pcap_dumps with their recorded time intervals
    -t is print timestamp every time a packet is matched
    -T is print delta timestamp every time a packet is matched
    -M is don't do multi-line match (do single-line match instead)
    -I is read packet stream from pcap format file pcap_dump
    -O is dump matched packets in pcap format to pcap_dump
    -n is look at only num packets
    -A is dump num packets after a match
    -s is set the bpf caplen
    -S is set the limitlen on matched packets
    -W is set the dump format (normal, byline, single, none)
    -c is force the column width to the specified size
    -P is set the non-printable display char to what is specified
    -F is read the bpf filter from the specified file
    -N is show sub protocol number
    -d is use specified device instead of the pcap default
    -K is kill matching TCP connections
    Sample.
    Match only requests going to port 80
    Code:
    ngrep -q '^GET .* HTTP/1.[01]' 'port 80'
    Match only requests going to the destination 'untangle.com'
    Code:
    ngrep -q '^GET .* HTTP/1.[01]' 'host untangle.com'
    Match only ping requests
    Code:
    ngrep -q '.' 'icmp'
    Monitor all activity crossing source or destination port 25 (SMTP).
    Code:
    ngrep -d any port 25
    Monitor any network-based syslog traffic for the occurrence of the word ``error''. ngrep knows how to convert service port names (on UNIX, located in ``/etc/services'') to port numbers.
    Code:
    ngrep -d any 'error' port syslog
    Monitor any traffic crossing source or destination port 21 (FTP), looking case-insensitively for the words ``user'' or ``pass'', matched as word-expressions (the match term(s) must have non-alphanumeric, delimiting characters surrounding them).
    Code:
    ngrep -wi -d any 'user|pass' port 21
    As you can see, all headers and aspects of the HTTP transmission are exposed in their gory detail. It's a little hard to parse though, so let's see what happens when ``-W byline'' mode is used:

    Code:
    ngrep -W byline port 80
    Play Nice

    If you have nice Sample post them here and we can build a archive.

  2. #2
    Untangler
    Join Date
    May 2009
    Posts
    53

    Default Good

    Good post, but i think is better use iftop or tcptrack this uses syntax pcap like

  3. #3

  4. #4
    Newbie
    Join Date
    Jun 2009
    Posts
    8

    Default

    thnx think this might help me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2