Difference between revisions of "Ngrep"

From ForensicsWiki
Jump to: navigation, search
(New page: {{Infobox_Software | name = ngrep | maintainer = Jordan Ritter | os = {{Linux}} | genre = Network forensics | license = {{GPL}} | website = [http://ngrep.sourceforge.net/ ngrep...)
 
m (Link to fragment reassembly patch)
 
Line 27: Line 27:
  
 
Ngrep cannot reconstruct data streams, it has no ability to match a string that is broken across two or more packets.
 
Ngrep cannot reconstruct data streams, it has no ability to match a string that is broken across two or more packets.
 +
 +
== Patches ==
 +
 +
* [http://sourceforge.net/tracker/index.php?func=detail&aid=1738954&group_id=10752&atid=310752 IPv4 and IPv6 fragment reassembly patch]
  
 
[[Category:Network Forensics]]
 
[[Category:Network Forensics]]

Latest revision as of 09:23, 19 October 2008

ngrep
Maintainer: Jordan Ritter
OS: Linux
Genre: Network forensics
License: GPL
Website: ngrep.sourceforge.net

Ngrep is a tool that provides GNU grep's features applying them to the network layer.

Overview

Ngrep recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces.

Examples

Example 1: dump all common HTTP requests on a live network (eth0):

ngrep -qd eth0 '^(GET|POST|HEAD|CONNECT)' 'tcp'

Example 2: the same, but from a network dump (out.pcap):

ngrep -qI out.pcap '^(GET|POST|HEAD|CONNECT)' 'tcp'

Limitations

Ngrep cannot reconstruct data streams, it has no ability to match a string that is broken across two or more packets.

Patches