Searching for Strings in Network Traffic

8 01 2013

To search for packets containing data that matches a regular expression and protocols that match a filter
# ngrep [grep-options] regular-expression [filter-expression]
To search instead for a sequence of binary data:
# ngrep -X hexadecimal-digits [filter-expression]
To sniff packets and save them in a file:
# ngrep -O filename [-n count] [-d interface] [-s snap-length] \
regular-expression [filter-expression ]

To read and display the saved network trace data:
$ ngrep -I filename regular-expression [filter-expression]

The ngrep command searches network traffic for data that matches extended regular expressions, in the same way that the egrep command (or grep -E) searches files. In fact, ngrep supports many of the same command-line options as egrep, such as -i (case-insensitive), -w (whole words), or -v (nonmatching). In addition, ngrep can select packets using the same filter expressions as tcpdump. To use ngrep as an ordinary packet sniffer, use the regular expression “.”, which matches any nonempty payload.

ngrep is handy for detecting the use of insecure protocols. For example, we can observe FTP transfers to or from a server, searching for FTP request command strings to reveal usernames, passwords, and filenames that are transmitted as clear text:

$ ngrep -t -x 'USER|PASS|RETR|STOR' tcp port ftp and host
interface: eth0 (
filter: ip and ( tcp port ftp )
T 2003/02/27 23:31:20.303636 -> [AP]
55 53 45 52 20 6b 61 74 69 65 0d 0a USER katie..
T 2003/02/27 23:31:25.315858 -> [AP]
50 41 53 53 20 44 75 6d 62 6f 21 0d 0a PASS Dumbo!..
T 2003/02/27 23:32:15.637343 -> [AP]
52 45 54 52 20 70 6f 6f 68 62 65 61 72 0d 0a RETR poohbear..
T 2003/02/27 23:32:19.742193 -> [AP]
53 54 4f 52 20 68 6f 6e 65 79 70 6f 74 0d 0a STOR honeypot..
58 received, 0 dropped

The -t option adds timestamps; use -T instead for relative times between packets. The -x option prints hexadecimal values in addition to the ASCII strings.

ngrep prints a hash character (#) for each packet that matches the filter expression: only those packets that match the regular expression are printed in detail. Use the -q option to suppress the hashes.

To search for binary data, use the -X option with a sequence of hexadecimal digits (of any length) instead of a regular expression. This can detect some kinds of buffer overflow attacks, characterized by known signatures of fixed binary data.

ngrep matches data only within individual packets. If strings are split between packets due to fragmentation, they will not be found. Try to match shorter strings to reduce (but not entirely eliminate) the probability of these misses.
Shorter strings can also lead to false matches, however—a bit of experimentation is sometimes required. dsniff does not have this limitation.

Like other packet sniffers, ngrep can write and read libpcap-format network trace files, using the -O and -I options. This is especially convenient when running ngrep repeatedly to refine your search, using data captured previously, perhaps by another program. Usually ngrep captures packets until killed, or it will exit after recording a maximum number of packets requested by the -n option. The -d option selects a specific interface, if your machine has several. By default, ngrep captures entire packets (in contrast to
tcpdump and ethereal), since ngrep is interested in the payloads. If your data of interest is at the eginning of the packets, use the -s option to reduce the snapshot and gain efficiency.

When ngrep finds an interesting packet, the adjacent packets might be of interest too, as context. The ngrep -A option prints a specified number of extra (not necessarily matching) packets for trailing context.

This is similar in spirit to the grep -A option, but ngrep does not support a corresponding -B option for leading context.

A recommended practice: Save a generous amount of network trace data with tcpdump, then run ngrep to locate interesting data. Finally, browse the complete trace using Ethereal, relying on the timestamps to identify the packets matched by ngrep.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: