Hack 34. grep Your Network

See who's doing what, with a grep for your network interface.

The ngrep utility is an interesting packet-capture tool, similar to tcpdump [Hack #33] and Ethereal [Hack #31]. It is unique in that it attempts to make it as easy as possible to match which captured packets to print, by using a grep-compatible format (complete with regular expressions and a bunch of GNU grep's switches). It also converts the packets to ASCII (or hex) before printing. The package is available from http://www.packetfactory.net/Projects/ngrep.

For example, to see the contents of all HTTP GET requests that pass through your wireless router, try this command as root:

# ngrep -q GET

If you're interested only in a particular host, protocol, or port (or other packet matching criteria), you can specify a bpf filter as well as a data pattern. It uses syntax similar to tcpdump:

# ngrep -qi rob@nocat.net port 25 T 10.42.4.7:65174 -> 209.204.146.26:25 [AP] RCPT TO:.. T 209.204.146.26:25 -> 10.42.4.7:65174 [AP] 250 2.1.5 … Recipient ok.. T 10.42.4.7:65174 -> 209.204.146.26:25 [AP] Date: Sun, 8 Sep 2002 23:55:18 -0700..Mime-Version: 1.0 (Apple Message fram ework v543)..Content-Type: text/plain; charset=US-ASCII; format=flowed..Sub ject: Greetings…..From: John Doe ..To: rob@nocat.net..Content-Transfer-En coding: 7bit..Message-Id: ..X-Mailer: Apple Mail v2)….What does t hat pgp command you mentioned do again?….Thanks,….--A Friend….

Since ngrep prints to STDOUT, you can do post-processing on the output to make a nice printing filter. If you process the output yourself, add the -l switch to make the output line buffered.

2.13.1. The Code

If you're interested in what people on the local wireless network are searching for online, try something like the Perl script in Example 2-1.

Example 2-1. go-ogle.pl uses ngrep to show you what people are searching for

#!/usr/bin/perl use Socket; $|++; open(NG,"ngrep -d en1 -lqi '(GET|POST).*/(search|find)' |"); print "Go ogle online. "; my ($go,$i) = 0; my %host = ( ); while( ) { if(/^T (d+.d+.d+.d+):d+ -> (d+.d+.d+.d+):80/) { $i = inet_aton($1); $host{$1} ||= gethostbyaddr($i, AF_INET) || $1; $i = inet_aton($2); $host{$2} ||= gethostbyaddr($i, AF_INET) || $2; print "$host{$1} -> $host{$2} : "; $go = 1; next; } if(/(q|p|query|for)=(.*)?(&|HTTP)/) { next unless $go; my $q = $2; $q =~ s/(+|&.*)/ /g; $q =~ s/%(w+)/chr(hex($1))/ge; print "$q "; $go = 0; } else { next unless $go; $go = 0; print " "; } }

 

2.13.2. Running the Hack

I call the script go-ogle.pl. This runs an ngrep looking for any GET or POST request that includes search or find somewhere in the URL. Save the code to a file called go-ogle.pl and invoke it on the command line. The results look something like this:

# perl go-ogle.pl Go ogle online. caligula.nocat.net -> www.google.com : o'reilly mac os x conference caligula.nocat.net -> s1.search.vip.scd.yahoo.com : junk mail $$$ tiberius.nocat.net -> altavista.com : babel fish caligula.nocat.net -> 166-140.amazon.com : Brazil livia.nocat.net -> 66.161.12.119 : lart

It will lazily unescape encoded strings in the query (note the ' in the Google query, and the $$$ from Yahoo!). It will also convert IP addresses to hostnames for you, because ngrep doesn't seem to have this feature, probably so it can optimize capturing for speed. The last two results are interesting: the Brazil query was actually run on http://www.imdb.com looking for a movie, and the last one was to http://www.dictionary.com. Evidently, IMDB is now in a partnership with Amazon.com, and Dictionary.com's search machine doesn't have a PTR record. It's amazing how much you can learn about the world by watching other people's packets.

Note that you must be root to run ngrep; for best results, it should be run from the router at the edge of your network or from any wireless client associated with a busy access point.

Категории