 A
Look at ngrep
Ron McCarty
Network troubleshooting often requires the use of a sniffer, and
many network administrators automatically reach for tcpdump
(http://www.tcpdump.org/), which is useful across many platforms.
With the increasing number of protocols supported on IP, administrators
often need to look further into the payload of packets to ensure
that applications or users are providing information expected by
the receiving IP stack.
ngrep is a sniffer than can be used like tcpdump,
and it provides the additional capability of "grepping"
the packet's payload for particular matches. The regular express
support of ngrep tries to support resembles the GNU version
of grep, which gives many advanced feature such as printing
lines after the matched expression.
ngrep is available at:
http://ngrep.sourceforge.net/
and requires libpcap, which is available at the tcpdump
Web site:
http://www.tcpdump.org/
libpcap is already on systems that have tcpdump installed.
Installation of ngrep is straightforward -- typically a
configure, make, and make install will have it up and running. Because
it uses libpcap, a wide range of interfaces and operating systems
are supported.
ngrep, like tcpdump, can be used to print packets
matching a particular protocol. For example, you can use the following
to print all UDP packets:
ngrep '' udp
or ICMP packets with:
ngrep '' icmp
Specific ports can be used. For example, the domain name system (DNS)
uses TCP or UDP ports 53, so:
ngrep '' port 53
will show all DNS requests, such as this request for www.sysadminmag.com:
U 192.168.1.100:1034 -> 4.2.2.1:53
:............www.samag.com.....
#
U 4.2.2.1:53 -> 192.168.1.100:1034
:............www.samag.com................................!.%.........
....A.ROOT-SERVERS.NET..............E.GTLD-SERVERS.X.............F.k..
...........J.k.............K.k.............A.k.............M.k........
.....G.k.............C.k.............I.k.............B.k.............D
.k.I.......o...)...i......}.....QE...............C........'>....de....
....f...............BY...).&.........*....re........"....).e..........
...............Y...$..........07....j................. ;
whereas grep '' tcp port 23 will print telnet packets.
(To determine the appropriate ports, check /etc/services, or
consult the Internet Assigned Numbers Authority at: http://www.iana.org/numbers.htm.)
To troubleshoot Microsoft browsing traffic for the NT Domain BIGWORLD,
you can use:
ngrep '' port 138
U 192.168.1.101:138 -> 192.168.1.255:138
.......e...... EOFFENECEFFCDJCACACACACACACACAAA. ABACFPFPENFDECFCEPFHF
DEFFPFPACAB..SMB%..............................(...................(.V
.........9.\MAILSLOT\BROWSE....'..BIGWORLD........... @.....NUMBER8.
But to really take advantage of ngrep, just pick up the LILWORLD
traffic:
ngrep 'LILWORLD' port 138
###################################
U 192.168.1.101:138 -> 192.168.1.255:138
.......e...... EOFFENECEFFCDJCACACACACACACACAAA. ABACFPFPENFDECFCEPFHF
DEFFPFPACAB..SMB%..............................(...................(.V
.........9.\MAILSLOT\BROWSE....'..LILWORLD........... @.....NUMBER9.
This could be very difficult to troubleshoot with tcpdump in
a larger network.
Email
The simple mail transport protocol (SMTP) is an ASCII-based protocol,
so ngrep can be useful for troubleshooting SMTP email. For
example, to monitor current delivery and print sender and recipients,
use:
ngrep -iq 'rcpt to|mail from' tcp port 25
T 192.168.1.254:1043 -> 206.46.170.36:25 [AP]
MAIL From:<mccarty@somedomain.com> SIZE=42..
T +63.769851 192.168.1.254:1043 -> 206.46.170.36:25 [AP]
RCPT To:<ronald.mccarty@gte.net>..
T 192.168.1.254:1043 -> 206.46.170.36:25 [AP]
RCPT To:<ronald.mccarty@gte.net>..
This may come in handy to identify the sender of the recent popular
mail viruses that read Outlook address books and send the virus to
other users.
Version 3 of the post office protocol (POP3) can also be tested
in much the same way as SMTP. For example, if it is possible that
the user is misspelling the user name:
ngrep 'user' port 110
T 192.168.1.100:1889 -> 192.168.1.1:110 [AP]
user test..
ICMP
Most troubleshooting of ICMP can be achieved with the ping
commands, but there are different implementations of ping.
For example, Microsoft operating systems fill the ICMP payload with
the alphabet, so you can determine whether a host that is pinging
is actually a Windows machine with:
ngrep -q 'abcd' icmp
I 192.168.1.100 -> 192.168.1.254 8:0
....abcdefghijklmnopqrstuvwabcdefghi
Web
Hypertext transport protocol (HTTP) is text based and shares all
kinds of information between the server and client. For example,
to determine the client application that the client host is running,
use:
ngrep -iq 'user-agent' tcp port 80
(HTTP actually calls for a udp version as well, but it has
never caught on.)
This particular case shows that the user is using lynx:
T 192.168.1.254:1065 -> 64.4.43.7:80 [AP]
GET / HTTP/1.0..Host: www.hotmail.com..Accept: text/html, text/plain,
audio/mod, image/*, video/*, video/mpeg, application/pgp, application/
pgp, application/pdf, message/partial, message/external-body, applicat
ion/postscript, x-be2, application/andrew-inset, text/richtext, text/e
nriched..Accept: x-sun-attachment, audio-file, postscript-file, defaul
t, mail-file, sun-deskset-message, application/x-metamail-patch, text/
sgml, */*;q=0.01..Accept-Encoding: gzip, compress..Accept-Language: en
..User-Agent: Lynx/2.8.3dev.18 libwww-FM/2.14....
Of course, the version of HTTP that is being used can be determined
by using "HTTP" as the search expression, or the server
being run using "SERVER" as the expression. Some attacks
on Web servers try to request documents with periods as the file name,
such as ../. ngrep can also check for these:
ngrep '../'
T 192.168.1.100:1103 -> 10.1.1.1:80 [AP]
GET /../ HTTP/1.0..Host: www.somedomain.to..Accept: text/html, text
/plain, audio/mod, image/*, video/*, video/mpeg, application/pgp, appl
ication/pgp, application/pdf, message/partial, message/external-body,
application/postscript, x-be2, application/andrew-inset, text/richtext
, text/enriched..Accept: x-sun-attachment, audio-file, postscript-file
, default, mail-file, sun-deskset-message, application/x-metamail-patc
h, text/sgml, video/mpeg, image/jpeg, image/tiff, image/x-rgb, image/p
ng, image/x-xbitmap, image/x-xbm, image/gif..Accept: application/posts
cript, */*;q=0.01..Accept-Encoding: gzip, compress..Accept-Language: e
n..User-Agent: Lynx/2.8.4dev.7 libwww-FM/2.14....
This same technique can be used to determine what an ftp server
is reporting as its version:
ngrep '220' port 21
T 209.155.82.18:21 -> 192.168.1.100:1105 [AP]
220 wcarchive.cdrom.com FTP server (Version DG-4.0.62 974200128) ready
or to investigate Secure Shell, which can be tough to debug during
the first install:
ngrep 'SSH' port 22
T 192.168.1.1:22 -> 192.168.1.100:1023 [AP]
SSH-1.5-1.2.27.
##
T 192.168.1.100:1023 -> 192.168.1.1:22 [AP]
SSH-1.5-OpenSSH_2.1.1.
Neat Features of ngrep
Some of the nicer features of ngrep are obvious to systems
administrators, but may be less obvious to network administrators
with light sys admin duties. Let's look at some of them:
-A n -- The -A feature prints out "n"
packets after the match. This could be useful, for example, to print
out several lines after the "to:" in the address header
of smtp to get a more complete picture of the header.
-l -- Sometimes it is necessary to pipe the output
of grep to another program for more processing. However,
normal ngrep behavior will seem sporadic when piped to the
other program because it first fills its buffer before printing
matching packets. By using the -l, the output will be printed
immediately as opposed to waiting for ngrep's buffer
to fill before printing.
-v -- The -v will print all lines not matching
the expression. This is useful during initial troubleshooting where
a cause is not yet known, but you can assume it is not generated
by the traffic you are sending to the host from your remote host
while accessing the host. For example, if you telnet to the
host to start troubleshooting, use:
ngrep -v '' port 23
to see all the traffic but telnet.
-d -- The -d allows you to specify the device
you want to monitor. The complete path to the device name is not
required. Thus:
ngrep -d le0 ''
will listen to le0 on a Solaris box.
Summary
ngrep, like its cousin tcpdump, is handy for network
troubleshooting. With the addition of being able to search with
regular expressions, ngrep is worth adding to your network
tool box. Weighing in at a little over 100 K, it is also worth considering
for your emergency and network floppy distributions.
Ronald McCarty received his bachelor's degree in Computer
and Information Systems at the University of Maryland's international
campus at Schwaebisch Gmuend, Germany. After completing his degree,
Ronald McCarty started his network career as network administrator
at the Schwaebisch Gmuend campus. Ronald McCarty works for Lucent
Technologies as a senior systems engineer on a customer team responsible
for a major telecommunications carrier. He spends his free time
with his two best friends in the world: his daughter, Janice, and
his wife, Claudia. Ron can be reached at: ronald.mccarty@gte.net.
|
