Ngrep is a network (pcap format) based search tool. Just like its file based compatriot, grep, it is used when searching for strings in the payload (or the header for that matter). Ngrep supports:
- Basic ASCII strings (e.g. "ASCII"),
- Regex (this is Regular Expressions such as GET.*php"), and
- Hex strings (e.g. 0029A)
Just like any good command line program, we have options. Some of these are listed below:
-i Ignore case for regular expressionAs a result, we can use NGrep as a filter and poor-man's scanner to find traffic on a network.
-d Read data from a specific live interface
-I Read data from the specified pcap-file
-O Save matching packets to a pcap format file
-x Dump packet contents as hexadecimal and ASCII
-X Dump packet contents as hexadecimal and ASCII and then treat the matched expression as a hexadecimal string
The RexEx coach is a means of training yourself into using Regular Expressions. A screenshot is provided below:
RegBuddy is one of those tools that incorporate a number of predefined RegEx Searches.
NGrep will run on both Windows and Unix/Linux. I will post on the UNIX/LINUX versions.
Linux binary RPMs are available. So installation is simple. Optionally, you can just unpack the static NGrep binary and copy it to a location of your choosing. Adding to the path will also make little a little easier. This static binary includes all of the library routines that are needed.
To unpack the Linux binary, use the bzip2 command. This should be done with the following format:
bzip2 -dc ngrep-1.44-linux-elf-static.bz2 >/usr/local/bin/ngrepNow that we have installed NGrep, we will move onto more on how to use NGrep tomorrow...