LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue57/eyler2.html

452 lines
17 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Using ngrep LG #57</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
WIDTH="600" HEIGHT="124" border="0"></H1></A>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="eyler.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue57/eyler2.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="feenberg.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Using ngrep</font></H1>
<H4>By <a href="mailto:pate@gnu.org">Pat Eyler</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<h1><a name="AEN1">Using ngrep</a></h1>
<div class="SECTION">
<h1 class="SECTION"><a name="AEN3"></a></h1>
<div class="SECTION">
<h2 class="SECTION"><a name="AEN4">ngrep</a></h2>
<p><tt class="PARAMETER"><i>ngrep</i></tt> is a tool for watching
network traffic. It is based on the <tt class="PARAMETER"><i>
libpcap</i></tt> library, which provides packet capturing
functionality. <tt class="PARAMETER"><i>ngrep</i></tt> allows
regular expression style filters to be used to select traffic to be
displayed.</p>
<p><tt class="PARAMETER"><i>ngrep</i></tt> is the first utility
we'll discuss that doesn't ship on most linux systems. We'll talk
about how to get and install it, how to start it up and use it, and
more advanced use.</p>
<div class="SECTION">
<h3 class="SECTION"><a name="AEN12">Getting &amp; Installing
ngrep</a></h3>
<p>Source code for ngrep is available from
<A HREF="http://www.packetfactory.net/Projects/ngrep/">http://www.packetfactory.net/Projects/ngrep/</A> as are some binary
packages. I'll review installing the source, as the binary packages
are fairly straight forward.</p>
<p>On a Redhat 6.2 system, you'll need to install libpcap before
you can install ngrep. This package is available from
<A HREF="http://www.tcpdump.org/release">http://www.tcpdump.org/release</A>. As of this writing, the most recent
version is libpcap-0.5.2.tar.gz. Once this is downloaded, I put
things like this into /usr/local/src, you should do the
following:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<tt class="PROMPT">$</tt> <tt class=
"USERINPUT"><b>tar xvzf libpcap-0.5.2.tar.gz</b></tt>
<tt class="PROMPT">$</tt> <tt class=
"USERINPUT"><b>cd libpcap_0_5rel2</b></tt>
<tt class="PROMPT">$</tt> <tt class=
"USERINPUT"><b>./configure</b></tt>
<tt class="PROMPT">$</tt> <tt class="USERINPUT"><b>make</b></tt>
<tt class="PROMPT">$</tt> <tt class="USERINPUT"><b>su</b></tt>
<tt class="PROMPT">Password:</tt> <tt class=
"USERINPUT"><b>********</b></tt>
<tt class="PROMPT">#</tt> <tt class=
"USERINPUT"><b>make install-incl</b></tt>
<tt class="PROMPT">#</tt> <tt class=
"USERINPUT"><b>make install-man</b></tt>
<tt class="PROMPT">#</tt> <tt class="USERINPUT"><b>exit</b></tt>
</pre>
</td>
</tr>
</table>
<br>
<br>
<p>Your next step is to build ngrep itself. ngrep source can be
downloaded from <A HREF="http://www.packetfactory.net/Projects/ngrep">http://www.packetfactory.net/Projects/ngrep</A>. After
downloading it, do the following:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<tt class="PROMPT">$</tt> <tt class=
"USERINPUT"><b>tar xzvf ngrep-1.38.tar.gz</b></tt>
<tt class="PROMPT">$</tt> <tt class=
"USERINPUT"><b>cd ngrep</b></tt>
<tt class="PROMPT">$</tt> <tt class=
"USERINPUT"><b>./configure</b></tt>
<tt class="PROMPT">$</tt> <tt class="USERINPUT"><b>make</b></tt>
<tt class="PROMPT">$</tt> <tt class="USERINPUT"><b>su</b></tt>
<tt class="PROMPT">Password:</tt> <tt class=
"USERINPUT"><b>********</b></tt>
<tt class="PROMPT">#</tt> <tt class=
"USERINPUT"><b>make install</b></tt>
<tt class="PROMPT">#</tt> <tt class="USERINPUT"><b>exit</b></tt>
</pre>
</td>
</tr>
</table>
<br>
<br>
<p>Congratulations, at this point you should have a working copy of
ngrep installed on your system.</p>
</div>
<div class="SECTION">
<h3 class="SECTION"><a name="AEN54">Using ngrep</a></h3>
<p>To start using ngrep you'll need to decide what pattern you want
to search for. These can be either libpcap style descriptions of
network traffic or GNU grep style regular expressions describing
the contents of traffic. In the following example, we'll grab any
packet containing the pattern <span class="QUOTE">"ssword"</span> and
display it in the alternative format (which I think is a lot more
readable):</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<tt class="PROMPT">[root@cherry /root]#</tt> <tt class=
"USERINPUT"><b>ngrep -x ssword</b></tt>
<tt class="PROMPT">interface: eth0 (192.168.1.0/255.255.255.0)</tt>
<tt class="PROMPT">match: ssword</tt>
<tt class="PROMPT">################################</tt>
<tt class=
"PROMPT">T 192.168.1.20:23 -&gt; 192.168.1.10:1056 [AP]</tt>
<tt class=
"PROMPT"> 50 61 73 73 77 6f 72 64 3a 20 Password:</tt>
<tt class="PROMPT">#########################exit</tt>
<tt class="PROMPT">59 received, 0 dropped</tt>
<tt class="PROMPT">[root@cherry /root]# </tt>
</pre>
</td>
</tr>
</table>
<br>
<br>
<p>Each of the hash marks in the above example represent a packet
not containing the pattern we're searching for, any packets
containing the pattern are displayed.</p>
<p>In this example we followed the basic syntax of ngrep &ndash;
<tt class="PARAMETER"><i>ngrep &lt;options&gt; [pattern]</i></tt>.
We used only the <tt class="PARAMETER"><i>-x</i></tt> option, which
sets the alternative display format.</p>
</div>
<div class="SECTION">
<h3 class="SECTION"><a name="AEN73">Doing More with ngrep</a></h3>
<p>There are a number of additional twists to the way that you can
use ngrep. Chief among them is the ability to include libpcap style
packet filtering. libpcap provides a fairly simple language for
filtering traffic.</p>
<p>Filters are written by combining <i class="EMPHASIS">
primitives</i> with conjunctions (<tt class=
"PARAMETER"><i>and</i></tt> and <tt class="PARAMETER"><i>
or</i></tt>). Primitives can be preceeded with the term <tt class=
"PARAMETER"><i>not</i></tt>.</p>
<p>Primitives are normally formed with an id (which can be numeric
or a symbolic name followed by one or more qualifiers. There are
three kinds of qualifiers; type, direction, and protocol.</p>
<p>Type qualifiers describe what the id refers to. Allowed options
are <tt class="PARAMETER"><i>host</i></tt>, <tt class="PARAMETER">
<i>net</i></tt>, and <tt class="PARAMETER"><i>port</i></tt>. If not
type is given, the primitive defaults to <tt class="PARAMETER"><i>
host</i></tt>. Examples of type primitives are; <tt class=
"PARAMETER"><i>host crashtestdummy</i></tt>, <tt class="PARAMETER">
<i>net 192.168.2</i></tt>, or <tt class="PARAMETER"><i>port
80</i></tt></p>
<p>Directional qualifiers indicate which direction traffic is
flowing in. Allowable qualifiers are <tt class="PARAMETER"><i>
src</i></tt> and/or <tt class="PARAMETER"><i>dst</i></tt>. Examples
of direction primitives are: <tt class="PARAMETER"><i>src
cherry</i></tt>, <tt class="PARAMETER"><i>dst mango</i></tt>, <tt
class="PARAMETER"><i> src or dst port http</i></tt>. This last
example shows two qualifiers being used with a single id.</p>
<p>Protocol qualifiers limit the captured packets to those of a
single protocol. In the absence of a protocol qualifier, all ip
packets are captured (subject to other filtering rules). Protocols
which can be fileter are <tt class="PARAMETER"><i>tcp</i></tt>, <tt
class="PARAMETER"><i>udp</i></tt>, and <tt class="PARAMETER"><i>
icmp</i></tt>. You might use a protocol qualifier like <tt class=
"PARAMETER"><i>icmp</i></tt>, or <tt class="PARAMETER"><i>tcp dst
port telnet</i></tt>.</p>
<p>Primitives can be negated and combined to develop more complex
filters. If you wanted to see all traffic to rose except telnet and
ftp-data, you could use the following filter <tt class="PARAMETER">
<i>host dst rose and not port telnet and not port
ftp-data</i></tt>.</p>
<p>There are some command line switches that are worth noting as
well. The following table shows the command line switches likely to
be of the most use. As usual, check the man page for more
detail.</p>
<div class="TABLE">
<p><b>Table 1. Command Line Switches for ngrep</b></p>
<table border="1" bgcolor="#E0E0E0" cellspacing="0" cellpadding="4"
class="CALSTABLE">
<thead>
<tr>
<th align="LEFT" valign="TOP"><tt class="PARAMETER"><i>
-e</i></tt></th>
<th align="LEFT" valign="TOP">Show empty packets.</th>
</tr>
</thead>
<tbody>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>-n
[num]</i></tt></td>
<td align="LEFT" valign="TOP">Match num packets, then exit.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>-i
[expression]</i></tt></td>
<td align="LEFT" valign="TOP">Search for the regular expression
without regard to case.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>-v
[expression]</i></tt></td>
<td align="LEFT" valign="TOP">Search for packets not containing the
regular expression.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>
-t</i></tt></td>
<td align="LEFT" valign="TOP">Print a YYYY/MM/DD HH:MM:SS.UUUUUU
timestamp on each matched packet.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>
-T</i></tt></td>
<td align="LEFT" valign="TOP">display a +S.UUUUUU timestamp on each
matched packet.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>
-x</i></tt></td>
<td align="LEFT" valign="TOP">Show the packets in the alternate hex
and ascii style.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>-I
[filename]</i></tt></td>
<td align="LEFT" valign="TOP">Read from a pcap style dump named
filename instead of live traffic.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>-O
filename</i></tt></td>
<td align="LEFT" valign="TOP">Write output to a pcap style file
named filename.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><tt class="PARAMETER"><i>
-D</i></tt></td>
<td align="LEFT" valign="TOP">Mimic realtime by printing matched
packets at their recorded timestamp.</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
</div>
<div class="SECTION">
<h3 class="SECTION"><a name="AEN150">Wrapping up ngrep</a></h3>
<p>Using <tt class="PARAMETER"><i>ngrep</i></tt> can help you
quickly match and display packets during your troubleshooting. If
you've got an application level problem, <tt class="PARAMETER"><i>
ngrep</i></tt> can help you isolate the problem.</p>
<p>For example, if I was trying to make a connection from cherry
(192.168.1.10) to cuke (192.168.2.10) and the connection was
failing, I might troubleshoot the problem like this:</p>
<blockquote class="BLOCKQUOTE">
<p>Describe the symptoms: Cherry can not make a connection to hosts
on remote network, but can connect to hosts on other networks.
Other hosts on cherry's network can connect to hosts on the remote
network.</p>
<p>Understand the environment: The hosts involved are cherry,
rhubard (the gateway to the remote network), and cuke.</p>
<p>List hypotheses: My problems might be a misconfiguration of
cherry, or of an intervening router.</p>
<p>Prioritize hypothesis &amp; narrow focus: Because cuke seems to
be the only host affected, we'll start looking there. If we can't
solve the problem on cuke, we'll move to rhubarb.</p>
<p>Create a plan of attack: I can try to ping cuke from cherry
while <tt class="PARAMETER"><i>ngrep</i></tt>ing for traffic like
this, <tt class="PARAMETER"><i>ngrep host cherry</i></tt> to see
what traffic I am sending.</p>
<p>Act on your plan: As we start pinging cuke, we see the following
results in our <tt class="PARAMETER"><i>ngrep</i></tt> session:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<tt class="PROMPT">[root@cherry /root]#</tt> <tt class=
"USERINPUT"><b>ngrep -e -x host 192.168.1.10</b></tt>
<tt class="PROMPT">interface: eth0 (192.168.1.0/255.255.255.0)
filter: ip and ( host 192.168.1.10 )
#
I 192.168.1.10 -&gt; 192.168.2.10 8:0
eb 07 00 00 31 86 a7 39 5e cd 0e 00 08 09 0a 0b ....1..9^.......
0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b ................
1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b .... !"#$%&amp;'()*+
2c 2d 2e 2f 30 31 32 33 34 35 36 37 ,-./01234567
#
I 192.168.1.1 -&gt; 192.168.1.10 5:1
c0 a8 01 0b 45 00 00 54 25 f2 00 00 40 01 d0 52 ....E..T%...@..R
c0 a8 01 0a c0 a8 02 0a 08 00 dc 67 eb 07 00 00 ...........g....
31 86 a7 39 5e cd 0e 00 08 09 0a 0b 0c 0d 0e 0f 1..9^...........
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&amp;'()*+,-./
30 31 32 33 34 35 36 37 b4 04 01 00 06 00 00 00 01234567........
00 10 00 00 01 00 00 00 e8 40 00 00 .........@..
exit
2 received, 0 dropped
[root@cherry /root]# </tt>
</pre>
</td>
</tr>
</table>
This shows two packets. The first is an ICMP packet of Type 8 and
Code 0, a ping request. It is destined for cuke. The second is and
ICMP packet of Type 5 and Code 1 and ICMP Redirect. This is coming
from Mango, the gateway to the rest of the world.<br>
<br>
<p>Test your results: We didn't expect to see mango involved at
all, if we look at the ICMP Redirects being sent (using the <tt
class="PARAMETER"><i>-v</i></tt> switch), we can see that we're
being redirected to the 192.168.1.11 address, not rhubarb.</p>
<p>Apply results of test to hypothesis: If we're not sending our
traffic to the right gateway it will never get to the right place.
We should be able to solve this by adding a route to the
192.168.2.0/24 network on cherry (a quick check of working hosts
shows that this is the way they're configured). We'll probably want
to fix the bad route on mango as well.</p>
<p>Iterate as needed: Once we've made the change and tested it, we
know that it works and don't need to go any further.</p>
</blockquote>
</div>
</div>
<div class="SECTION">
<h2 class="SECTION"><a name="AEN174">Author and License</a></h2>
<p>This document is a draft release of a section from a book called
"Networking Linux: A Practical Guide to TCP/IP" being published by
New Riders Publishing. This section is released under the OPL with
no further terms, the Free Software Foundation has agreed that this
constitutes a Free license. (Please see
<A HREF="http://www.opencontent.org">www.opencontent.org</A> and
<A HREF="http://www.gnu.org">www.gnu.org</A> for more information).</p>
<p>Because this document is a draft, there are likely errors,
typos, and the like. If you see anything that you think should be
changed, please let me know. I can be reached at
<A HREF="mailto:pate@gnu.org">pate@gnu.org</A>.</p>
</div>
</div>
</div>
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2000, Pat Eyler<BR>
Published in Issue 57 of <i>Linux Gazette</i>, September 2000</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="eyler.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue57/eyler2.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="feenberg.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink