Archive

Posts Tagged ‘ngrep’

Grep your network traffic!

January 21st, 2010 No comments

There are so many different tools available for network troubleshooting such as tcpdump. However, in this article, I’ll discuss something that’s easy to learn but powerful enough to troubleshoot real-time traffic in and out of your Linux server.

ngrep uses the libpcap library, and can also take hexadecimal expressions for which to capture network traffic. Before installing, make sure you have the libpcap library and of course ngrep. You can run ngrep only as root and running without any option, it will listen to all traffic on the current interface.

Below are some examples:

# ngrep '' udp

- Print packets matching a particular protocol, in this case only UDP. You can exchange udp to tcp to grap tcp data.

# ngrep '' port 53

- Shows all DNS requests

# ngrep 'SSH' port 22

- Displays all connections to port 22

# ngrep 'user' port 110

- Grabs pop info on ‘user’.

# ngrep digg.com port 80

- With this command running in bg, you can tell which user is access digg.com as well as if digg.com is connecting to your server.  This becomes handy if for example for large hosting site.  If one of the sites on your server is getting is under digg effect, instead of going through every site’s access_log, this short-cut will lead you to the culprit in no time.

# ngrep -qd eth1 'www' tcp port 80

- Look only at the tcp packets of port 80 via interface eth1 for anything matching ‘www’.

# ngrep -iq 'rcpt to|mail from' tcp port 25

- With the above command, you can monitor current email transactions and print the addresses.

# ngrep -q -t port 21

- The above command captures all traffic to the FTP server (port 21).

# ngrep -t '^(GET|POST) ' 'src host 192.168.136.55 and tcp and dst port 80'

- Displays all outgoing web requests from 192.168.136.55.

# ngrep -t 'USER' 'tcp and port 110'

- Displays in clear text, who is logging in to their pop accounts.

# ngrep -iq 'user-agent' tcp port 80

- Displays the browser type the client host is running.

And finally doing a man ngrep and ngrep –help provide much more options and explanations on best ways to use ngrep.  Ngrep is a great tool but it has it’s limitations which is why tools like tcpdump and others come into the picture to help out.

Categories: tools Tags: