Using ngrep (with examples)
Capture traffic of all interfaces
ngrep -d any
Motivation: Capturing traffic of all interfaces is useful in scenarios where you want to monitor network activity across different network connections, such as Ethernet, Wi-Fi, or loopback.
Explanation:
The -d
flag specifies the interface(s) to capture traffic from. In this case, any
is used to capture traffic from all interfaces.
Example Output:
interface: eth0 (192.168.1.10/255.255.255.0)
Capture traffic of a specific interface
ngrep -d eth0
Motivation: When troubleshooting network issues, it is often necessary to capture and analyze network traffic from a specific interface. By capturing traffic from a specific interface, you can focus on monitoring and analyzing the network traffic on that specific connection.
Explanation:
The -d
flag specifies the interface(s) to capture traffic from. In this case, eth0
is used to capture traffic from the interface with the name eth0
.
Example Output:
interface: eth0 (192.168.1.10/255.255.255.0)
Capture traffic crossing port 22 of interface eth0
ngrep -d eth0 port 22
Motivation: In scenarios where you want to monitor SSH connections on a specific interface, capturing traffic crossing a specific port can be helpful. By only capturing traffic on port 22 (SSH), you can focus on SSH-related network activity.
Explanation:
The -d
flag specifies the interface(s) to capture traffic from. In this case, eth0
is used to capture traffic from the interface with the name eth0
. The port
keyword is followed by the port number (22 in this case) to filter for traffic crossing that specific port.
Example Output:
T 192.168.1.20:1234 -> 192.168.1.10:22 [AP]
Capture traffic from or to a host
ngrep host www.example.com
Motivation: Monitoring traffic to or from a specific host is useful for analyzing network communication with a particular server or service. By capturing traffic involving a specific host, you can observe the network activity related to that host.
Explanation:
The host
keyword is followed by the hostname or IP address of the desired host. In this case, www.example.com
is used to capture traffic involving that particular host.
Example Output:
T 192.168.1.10:1234 -> 93.184.216.34:80 [S]
Filter keyword ‘User-Agent:’ of interface eth0
ngrep -d eth0 'User-Agent:'
Motivation: Filtering traffic based on specific keywords or patterns allows you to focus on specific types of network traffic. By filtering for a specific keyword, such as ‘User-Agent:’, you can analyze network activity related to the user agent string in HTTP requests.
Explanation:
The -d
flag specifies the interface(s) to capture traffic from. In this case, eth0
is used to capture traffic from the interface with the name eth0
. The single quotes around 'User-Agent:'
specify the keyword or pattern to filter for in the captured traffic.
Example Output:
T 192.168.1.20:1234 -> 192.168.1.10:80 [AP]