Created by Pedro Geraldo on 2019-09-03
Table of Contents
Also show packets that don’t contain a payload
Change how packets are
displayed
Ngrep is a networking tool that allows to perform network packet sniffing on plaintext protocol interactions such as HTTP, IMAP, DNS, SIP, etc. This training will help understand how to work with it.
Training: SSH connection
Training: Simple Unix Bash commands
A server with SIP traffic so that it can be analysed by ngrep. (either an astrad or a kamailio)
As stated before, ngrep is a packet sniffing tool which means that it analyses all packets that traverse the computer’s network interfaces, those being wired or wireless. So, if we simply execute “ngrep”, it will output everything that is currently traversing those network interfaces. This behaviour is demonstrated in the following example:
NOTE: ngrep will not work on the linux subsystem provided by Microsoft (ie. bash terminal or Ubuntu terminal). In order to test the commands of this training, a simple ssh connection to a server, like the one mentioned in the Requirements, will solve this.
root@vps298515:~# ngrep
interface: ens3 (164.132.57.199/255.255.255.255)
#
T 87.98.186.150:22 -> 83.78.15.38:30554 [AP]
i...=e...l..~......9..B...*...#......0...xA...V..W.l4uj%......{......W...........W..
#
T 87.98.186.150:22 -> 83.78.15.38:30554 [AP]
#P..Zp....djC....k.,~..Na...6R.^....
#
U 87.98.186.150:44014 -> 91.121.167.75:13902
......O.(......U........UUU.UUUTUUUUTTUUUUTTTWTTUUUUU....UUUTTUUUU...UUUU.........UUU....UUU.............UUUUUUU
....UUU........U.UU.U.......U.....U.U.......UUUU.UUUUTUUTTUU
#
U 154.48.198.114:16458 -> 87.98.186.150:53834
..<.s.....,}...]RM\W].^.WT.^UW.....U.PV.X.P..QTDQWQ.S....XTVQ.Q....]QT.....Q.XX.[.RW.Q.WV.U.U....US[XET...T.TPWA
VT.....WP]......._._[.\..W.E.YA._....Q.U.......^ECQ...PW.VP^
#
U 87.98.186.150:49198 -> 91.121.151.58:14800
..<.s.....,}...]RM\W].^.WT.^UW.....U.PV.X.P..QTDQWQ.S....XTVQ.Q....]QT.....Q.XX.[.RW.Q.WV.U.U....US[XET...T.TPWA
VT.....WP]......._._[.\..W.E.YA._....Q.U.......^ECQ...PW.VP^
#
U 91.121.151.58:14800 -> 87.98.186.150:49198
........Y.[.RR]RRPPQQVQVQQVQQVWVWWTTTT.U...................................................UTTWWWTWWWVVWWWVVQVWW
WWWVWWWVVVVVQQPPQPQPQQQQQQVVVVVWTWWWUU......................
#
U 87.98.186.150:53834 -> 154.48.198.114:16458
........Y.[.RR]RRPPQQVQVQQVQQVWVWWTTTT.U...................................................UTTWWWTWWWVVWWWVVQVWW
WWWVWWWVVVVVQQPPQPQPQQQQQQVVVVVWTWWWUU......................
#
(…)
However, not all packets are easy to read. This can be overcome by simply adding filters to our command.
Here will be listed some filters that can be for a broader use:
NOTE: these options can be combined to have a narrower output to fit your needs.
This allows to search for packets that contain some word, expression or information, for example, SIP/HTML/FTP or any other packet type, or a phone number that is in a packet.
ngrep “expression to match”
This allows to choose which network device we want to listen.
ngrep -d eth0
There is the option to limit the number of rows to show, ie. If you only need a sample of ‘n’ packets:
ngrep -n 5
You can also have it skip a defined number of packets after finding one that matches your criteria, ie. finds an HTML packet and ignores the next ‘n’ packets:
ngrep -A 5
This option will remove everything that doesn’t belong to a packet, making the output cleaner.
ngrep -q
This one is more for debugging purposes, in case you need to see interactions that happen in between the packet that you are looking for (network packets that communicate with the router, or others):
ngrep -e
In case you want to see packets that don’t match your expression:
ngrep -v
This option will make your packets have a timestamp of when they traversed the network interface:
ngrep -t
Packets can be shown in four different ways, normal, single, byline and none. If the option is not present, packets will be shown by the normal option.
NOTE: For this exercise, request access to one of our Proxy SIP servers (preferably the WeMobile Kamailio server).
Now that we now some filters that we can use, lets see them in action. First see what happens if we apply just run ngrep with no options (press ctrl+c when you have seen enough).
We can see that it shows everything in a ramble, right? Let’s try to narrow it to just sip packets:
ngrep “sip”
Here you can see more useful data right. Now let’s try to give it a cleaner look:
ngrep -q “sip”
Now let’s add multiple options. If I want to only see packets that have the “INVITE” word, in a clean and readable form, and no more than 5:
ngrep -q -n 5 -W byline "INVITE"
For this validation, create a new document according to the guidelines, and add the following requirements:
1. Screenshot of the terminal with the ssh command to the Wemobile Kamailio server, a date command and an echo with your name.
2. A packet capture of 3 sip packets shown in a clean and byline format, with a timestamp.
http://www.unappel.ch/2/support/100722-training-employees/i/
https://github.com/jpr5/ngrep
https://linux.die.net/man/8/ngrep
* * *