SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Page cover
Edit

Ngrep

Using Ngrep for PCAP Data Analysis in an Investigation

Ngrep (Network Grep) is a versatile tool for searching network traffic within PCAP files, offering regex-based filtering and a human-readable output. Its simplicity and focus on payload data make it a valuable resource for quick and targeted forensic investigations.

Key advantages include:

  1. Payload-Focused Analysis:

    • Unlike many tools that emphasise protocol metadata, Ngrep highlights the content of packet payloads, making it ideal for detecting keywords, patterns, or sensitive information like credentials in network traffic.

  2. Regex-Based Filtering:

    • Ngrep's powerful regex capabilities allow investigators to define complex search patterns, such as specific URLs, authentication attempts, or indicators of compromise (IoCs).

  3. Protocol Flexibility:

    • Ngrep supports various protocols, including HTTP, FTP, DNS, and SMB, enabling analysts to filter traffic by protocol type or port.

  4. Rapid Identification:

    • Its straightforward syntax and immediate output make it a quick and effective tool for identifying malicious activity, such as data exfiltration, command-and-control communication, or malware payloads.

  5. Readable Output:

    • Ngrep presents packets in a human-readable format, simplifying the process of reviewing traffic and interpreting results.

  6. Complementary Tool:

    • While not as feature-rich as Wireshark or TShark, Ngrep excels in targeted searches, making it a complementary tool for specific forensic tasks.

  7. Export Capability:

    • Ngrep can filter and save matching traffic into new PCAP files, which can then be analysed further with other tools.

By focusing on payload visibility and providing regex-based filtering, Ngrep is an invaluable tool for forensic investigators seeking to uncover specific evidence within large PCAP datasets quickly. Its lightweight and targeted approach complements broader network analysis workflows.

Below are some ngrep queries for network forensics investigations along with an explanation of each query.

1. View All Packets in a PCAP

  • Explanation: Displays all packets in the .pcap file. This provides an initial overview of the captured traffic.

2. Filter by IP Address

  • Explanation: Filters traffic to or from a specific IP address (192.168.1.10). Useful for isolating traffic related to a potentially compromised host.

3. Search for Specific Strings

  • HTTP:

  • Sensitive Keywords:

  • Explanation: Searches for specific strings (e.g., GET, POST, password, or admin) in the payloads of network traffic. Helps detect sensitive data leaks or malicious activity.

4. Inspect DNS Traffic

  • Explanation: Filters DNS traffic for queries or responses containing a specific domain (example.com). Use this to detect suspicious or malicious domain lookups.

5. Capture HTTP Traffic

  • Explanation: Captures HTTP traffic and formats the output line-by-line. Useful for analysing web requests and responses.

6. Monitor FTP Traffic

  • Explanation: Monitors FTP traffic for USER and PASS commands to detect plaintext credentials.

7. Detect ICMP Tunneling

  • Explanation: Searches for ICMP packets with specific payloads (e.g., containing "data"). Helps detect potential tunneling activities.

8. Search for Malicious Payloads

  • Explanation: Searches for known malicious payloads (e.g., signatures or specific strings) in any protocol.

9. Filter HTTPS Traffic

  • Explanation: Captures HTTPS traffic. Since payloads are encrypted, focus on metadata like IPs and packet patterns to detect anomalies.

10. Inspect SMB Traffic

  • Explanation: Captures SMB traffic, potentially showing file operations or suspicious activity like ransomware encrypting files over SMB.

11. Detect Command-and-Control (C2) Traffic

  • HTTP-Based C2:

  • DNS-Based C2:

  • Explanation: Focuses on potential C2 communication over HTTP or DNS, searching for specific patterns or domains associated with malware.

12. Filter by Port

  • HTTP:

  • FTP:

  • Explanation: Captures all traffic on a specific port, allowing protocol-specific analysis.

13. Detect Large File Transfers

  • Explanation: Captures large packets, which may indicate file transfers or potential data exfiltration.

14. Search for Base64-Encoded Payloads

  • Explanation: Identifies base64-encoded strings, often used in exfiltration or malware communication.

15. Track Ransomware Activity

  • SMB-Based:

  • DNS-Based:

  • Explanation: Monitors specific behaviours (e.g., SMB or DNS activity) associated with ransomware operations.

16. Extract Email Communication

  • Explanation: Captures SMTP traffic to detect potentially malicious emails or data exfiltration via email.

17. Analyse Tor Traffic

  • Explanation: Captures traffic to Tor entry nodes, which may indicate anonymised communication by malware or ransomware.

18. Export Specific Packets to a New PCAP

  • Explanation: Saves packets matching a query (e.g., DNS requests for example.com) to a new .pcap file for further analysis.

19. Detect Unusual Login Attempts

  • Explanation: Searches for keywords like login, auth, or failed in SSH traffic to detect brute-force attempts or suspicious logins.

20. Track Abnormal Traffic Patterns

  • Explanation: Monitors traffic on a specific port range to identify unusual patterns or suspicious activities.

Notes:

  • Replace placeholders like "example.com" or "malicious_string" with investigation-specific keywords or IoCs.

  • Combine with regex for advanced pattern matching.

  • Use -W byline for easier readability in multi-line traffic payloads.

ngrep is a lightweight and effective tool for quick, targeted network traffic searches, complementing more comprehensive tools like Wireshark or TShark in forensic investigations.

PreviousTsharkNextInvestigating Suspicious Emails Using KQL

Last updated