
Ngrep
Using Ngrep for PCAP Data Analysis in an Investigation
Ngrep (Network Grep) is a versatile tool for searching network traffic within PCAP files, offering regex-based filtering and a human-readable output. Its simplicity and focus on payload data make it a valuable resource for quick and targeted forensic investigations.
Key advantages include:
Payload-Focused Analysis:
Unlike many tools that emphasise protocol metadata, Ngrep highlights the content of packet payloads, making it ideal for detecting keywords, patterns, or sensitive information like credentials in network traffic.
Regex-Based Filtering:
Ngrep's powerful regex capabilities allow investigators to define complex search patterns, such as specific URLs, authentication attempts, or indicators of compromise (IoCs).
Protocol Flexibility:
Ngrep supports various protocols, including HTTP, FTP, DNS, and SMB, enabling analysts to filter traffic by protocol type or port.
Rapid Identification:
Its straightforward syntax and immediate output make it a quick and effective tool for identifying malicious activity, such as data exfiltration, command-and-control communication, or malware payloads.
Readable Output:
Ngrep presents packets in a human-readable format, simplifying the process of reviewing traffic and interpreting results.
Complementary Tool:
While not as feature-rich as Wireshark or TShark, Ngrep excels in targeted searches, making it a complementary tool for specific forensic tasks.
Export Capability:
Ngrep can filter and save matching traffic into new PCAP files, which can then be analysed further with other tools.
By focusing on payload visibility and providing regex-based filtering, Ngrep is an invaluable tool for forensic investigators seeking to uncover specific evidence within large PCAP datasets quickly. Its lightweight and targeted approach complements broader network analysis workflows.
Below are some ngrep
queries for network forensics investigations along with an explanation of each query.
1. View All Packets in a PCAP
ngrep -I sample.pcap
Explanation: Displays all packets in the
.pcap
file. This provides an initial overview of the captured traffic.
2. Filter by IP Address
ngrep -I sample.pcap host 192.168.1.10
Explanation: Filters traffic to or from a specific IP address (
192.168.1.10
). Useful for isolating traffic related to a potentially compromised host.
3. Search for Specific Strings
HTTP:
ngrep -I sample.pcap -q "GET|POST" tcp port 80
Sensitive Keywords:
ngrep -I sample.pcap "password|admin" any
Explanation: Searches for specific strings (e.g.,
GET
,POST
,password
, oradmin
) in the payloads of network traffic. Helps detect sensitive data leaks or malicious activity.
4. Inspect DNS Traffic
ngrep -I sample.pcap -q "example.com" udp port 53
Explanation: Filters DNS traffic for queries or responses containing a specific domain (
example.com
). Use this to detect suspicious or malicious domain lookups.
5. Capture HTTP Traffic
ngrep -I sample.pcap -W byline tcp port 80
Explanation: Captures HTTP traffic and formats the output line-by-line. Useful for analysing web requests and responses.
6. Monitor FTP Traffic
ngrep -I sample.pcap "USER|PASS" tcp port 21
Explanation: Monitors FTP traffic for
USER
andPASS
commands to detect plaintext credentials.
7. Detect ICMP Tunneling
ngrep -I sample.pcap "data" icmp
Explanation: Searches for ICMP packets with specific payloads (e.g., containing "data"). Helps detect potential tunneling activities.
8. Search for Malicious Payloads
ngrep -I sample.pcap -q "malicious_string" any
Explanation: Searches for known malicious payloads (e.g., signatures or specific strings) in any protocol.
9. Filter HTTPS Traffic
ngrep -I sample.pcap "" tcp port 443
Explanation: Captures HTTPS traffic. Since payloads are encrypted, focus on metadata like IPs and packet patterns to detect anomalies.
10. Inspect SMB Traffic
ngrep -I sample.pcap -W byline tcp port 445
Explanation: Captures SMB traffic, potentially showing file operations or suspicious activity like ransomware encrypting files over SMB.
11. Detect Command-and-Control (C2) Traffic
HTTP-Based C2:
ngrep -I sample.pcap -q "GET|POST" tcp port 80
DNS-Based C2:
ngrep -I sample.pcap -q "malicious.domain" udp port 53
Explanation: Focuses on potential C2 communication over HTTP or DNS, searching for specific patterns or domains associated with malware.
12. Filter by Port
HTTP:
ngrep -I sample.pcap "" tcp port 80
FTP:
ngrep -I sample.pcap "" tcp port 21
Explanation: Captures all traffic on a specific port, allowing protocol-specific analysis.
13. Detect Large File Transfers
ngrep -I sample.pcap "" tcp and greater 1500
Explanation: Captures large packets, which may indicate file transfers or potential data exfiltration.
14. Search for Base64-Encoded Payloads
ngrep -I sample.pcap "[A-Za-z0-9+/=]{40,}" any
Explanation: Identifies base64-encoded strings, often used in exfiltration or malware communication.
15. Track Ransomware Activity
SMB-Based:
ngrep -I sample.pcap -q "smb2" tcp port 445
DNS-Based:
ngrep -I sample.pcap "ransomnote.domain" udp port 53
Explanation: Monitors specific behaviours (e.g., SMB or DNS activity) associated with ransomware operations.
16. Extract Email Communication
ngrep -I sample.pcap -W byline tcp port 25
Explanation: Captures SMTP traffic to detect potentially malicious emails or data exfiltration via email.
17. Analyse Tor Traffic
ngrep -I sample.pcap "" tcp port 9001
Explanation: Captures traffic to Tor entry nodes, which may indicate anonymised communication by malware or ransomware.
18. Export Specific Packets to a New PCAP
ngrep -O filtered.pcap "example.com" udp port 53
Explanation: Saves packets matching a query (e.g., DNS requests for
example.com
) to a new.pcap
file for further analysis.
19. Detect Unusual Login Attempts
ngrep -I sample.pcap "login|auth|failed" tcp port 22
Explanation: Searches for keywords like
login
,auth
, orfailed
in SSH traffic to detect brute-force attempts or suspicious logins.
20. Track Abnormal Traffic Patterns
ngrep -I sample.pcap "" udp and portrange 1000-2000
Explanation: Monitors traffic on a specific port range to identify unusual patterns or suspicious activities.
Notes:
Replace placeholders like
"example.com"
or"malicious_string"
with investigation-specific keywords or IoCs.Combine with regex for advanced pattern matching.
Use
-W byline
for easier readability in multi-line traffic payloads.
ngrep
is a lightweight and effective tool for quick, targeted network traffic searches, complementing more comprehensive tools like Wireshark or TShark in forensic investigations.
Last updated