9.18. Searching for Strings in Network Traffic
Problem
You want to watch network traffic, searching for strings in the transmitted data.
Solution
Use ngrep .
To search for packets containing data that matches a regular expression and protocols that match a filter expression:
# ngrep [grep-options
]regular-expression
[filter-expression
]
To search instead for a sequence of binary data:
# ngrep -Xhexadecimal-digits
[filter-expression
]
To sniff packets and save them in a file:
# ngrep -Ofilename
[-ncount
] [-dinterface
] [-ssnap-length
] \regular-expression
[filter-expression
]
To read and display the saved network trace data:
$ ngrep -Ifilename
regular-expression
[filter-expression
]
Discussion
ngrep is supplied with SuSE but not Red Hat; however, it is easy to obtain and install if you need it. Download it from http://ngrep.sourceforge.net and unpack it:
$ tar xvpzf ngrep-*.tar.gz
compile it:
$ cd ngrep $ ./configure --prefix=/usr/local $ make
and install it into /usr/local as root:[8]
# mkdir -p /usr/local/bin /usr/local/man/man8 # make install
Sometimes we are interested in observing the data delivered by network packets, known as the payload . Tools like tcpdump [Recipe 9.16] and especially Ethereal [Recipe 9.17] can display the payload, but they are primarily designed for protocol analysis, so their ability to select packets based on arbitrary data is limited.[9]
The ngrep command searches network traffic for data that matches extended regular expressions, in the same way that the ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.