Actions

Linux tcpdump and ngrep

From Ever changing code

tcpdump

Filter a host

sudo tcpdump -q -i any host 97.22.22.22

Expressions and/or logical operators

tcpdump -qn -i any -p -e "(dst port 9443  or \
                           dst port 22    or \
                           dst port 8672) and \
                          (src net 10.34.96.128/25 or \
                           src net 10.34.97.128/25 or \
                           src net 10.34.98.128/25)"
tcpdump -qn -i any -p -e "dst port 22 and (src net 10.34.96.128/25 or src net 10.34.97.128/25 or net 10.34.98.128/25)"
# -q less verbose, -n no-dns, -e expression
# -p (--no-promiscuous-mode) Don't  put the interface into promiscuous mode

ngrep

ngrep is network packet analyzer tool, It is a grep-like tool applied to the network layer – it matches traffic passing over a network interface with tcpdump like arguments syntax. It supports IPv4/6, TCP, UDP, ICMPv4/6, IGMP as well as Raw.


Install

sudo apt install ngrep
sudo yum install ngrep
sudo dnf install ngrep


Examples

sudo ngrep -q '.' 'icmp' #match all ping requests on the default working interface


piotr@ubuntu:~/git$ sudo ngrep -q '.' 'icmp'                          │piotr@ubuntu:~/git$ ping wp.pl -c 2
interface: ens33 (192.168.30.0/255.255.255.0)                         │PING wp.pl (212.77.98.9) 56(84) bytes of data.
filter: (ip or ip6) and ( icmp )                                      │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=1 ttl=128 time=73.4 ms
match: .                                                              │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=2 ttl=128 time=88.7 ms
                                                                      │
I 192.168.30.136 -> 212.77.98.9 8:0                                   │--- wp.pl ping statistics ---
  ......w[....`....................... !"#$%&'()*+,-./01234567        │2 packets transmitted, 2 received, 0% packet loss, time 1002ms
                                                                      │rtt min/avg/max/mdev = 73.417/81.107/88.798/7.695 ms
I 212.77.98.9 -> 192.168.30.136 0:0                                   │piotr@ubuntu:~/git$ 
  ......w[....`....................... !"#$%&'()*+,-./01234567        │
                                                                      │
I 192.168.30.136 -> 212.77.98.9 8:0                                   │
  ......w[............................ !"#$%&'()*+,-./01234567        │
                                                                      │
I 212.77.98.9 -> 192.168.30.136 0:0                                   │
  ......w[............................ !"#$%&'()*+,-./01234567        │


sudo ngrep -q '.' 'host google.com' # match only traffic going to a particular destination site
sudo ngrep -q '^GET .* HTTP/1.[01]' #monitor which files your browser is requesting
sudo ngrep port 25 #destination port 25
sudo ngrep -d any 'error' port 514 #monitor any network-based syslog traffic for the occurrence of the word “error”
sudo ngrep port 80 #match all requests to the destination host
sudo ngrep -W byline port 80 #match all requests to the destination host - prettier format
sudo ngrep -t -W byline port 80 #print a timestamp when every packet is matched
# -p don't put the interface into promiscuous mode
# -N show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols)