ngrep Network Traffic Snooping

ngrep is a powerful tool which enables network administrators to view packets travelling across the wire in real time. This is a useful item for both security audits and reverse engineering.

By running ngrep on router level devices, it is possible to see where closed source devices such as Playstations and Wiis are phoning home for updates.

Below is a sample command run on my router to view all traffic on interface br0, travelling to or from host 192.168.1.19.

ngrep -q -d br0 -W byline host 192.168.1.19

I ran a simple wget on 192.168.1.19 to generate traffic.

T 192.168.1.19:59119 -> 78.137.166.3:80 [AP]
GET / HTTP/1.0.
User-Agent: Wget/1.12 (linux-gnu).
Accept: */*.
Host: dereenigne.org.
Connection: Keep-Alive.
.


T 78.137.166.3:80 -> 192.168.1.19:59119 [AP]
HTTP/1.1 200 OK.
Date: Mon, 28 Feb 2011 02:09:50 GMT.
Server: Apache/1.3.41 (Unix) PHP/5.2.5.
X-Powered-By: PHP/5.2.5.
Connection: close.
Content-Type: text/html.
X-Pad: avoid browser bug.
.
Hello, World!

The results can also be dumped to a pcap file for later examination in Wireshark by using the -O argument.

ngrep -d eth0 -O /tmp/capture.pcap

ngrep will obviously need root privileges if it is to sniff packets.

Leave a Reply