Friday, 3 July 2009


Ngrep is a network (pcap format) based search tool. Just like its file based compatriot, grep, it is used when searching for strings in the payload (or the header for that matter). Ngrep supports:

  • Basic ASCII strings (e.g. "ASCII"),
  • Regex (this is Regular Expressions such as GET.*php"), and
  • Hex strings (e.g. 0029A)
The optimum results can be achieved using RegEX. These are a little arcane, so I will recommend a few tools to help use and learn these (there are also many good books and web sites for this). Hex also proves good if you know exactly what you are looking for, this can include using sections for captured data.

Just like any good command line program, we have options. Some of these are listed below:
-i Ignore case for regular expression
-d Read data from a specific live interface
-I Read data from the specified pcap-file
-O Save matching packets to a pcap format file
-x Dump packet contents as hexadecimal and ASCII
-X Dump packet contents as hexadecimal and ASCII and then treat the matched expression as a hexadecimal string
As a result, we can use NGrep as a filter and poor-man's scanner to find traffic on a network.

The RexEx coach is a means of training yourself into using Regular Expressions. A screenshot is provided below:
RegBuddy is one of those tools that incorporate a number of predefined RegEx Searches.
NGrep will run on both Windows and Unix/Linux. I will post on the UNIX/LINUX versions.

Linux binary RPMs are available. So installation is simple. Optionally, you can just unpack the static NGrep binary and copy it to a location of your choosing. Adding to the path will also make little a little easier. This static binary includes all of the library routines that are needed.

To unpack the Linux binary, use the bzip2 command. This should be done with the following format:
bzip2 -dc ngrep-1.44-linux-elf-static.bz2 >/usr/local/bin/ngrep
Now that we have installed NGrep, we will move onto more on how to use NGrep tomorrow...

No comments: