Permalink
Browse files

Initial revision

  • Loading branch information...
jpr5 committed Sep 4, 2000
0 parents commit eaf581b6edfa2fcb750af3e9ba60cb96783ab6df
Showing with 11,572 additions and 0 deletions.
  1. +16 −0 BUGS
  2. +76 −0 CHANGES
  3. +37 −0 COPYRIGHT
  4. +34 −0 CREDITS
  5. +17 −0 INSTALL
  6. +56 −0 Makefile.in
  7. +105 −0 README
  8. +15 −0 TODO
  9. +21 −0 USAGE
  10. +951 −0 config.guess
  11. +955 −0 config.sub
  12. +2,246 −0 configure
  13. +152 −0 configure.in
  14. +251 −0 install-sh
  15. +430 −0 ngrep.8
  16. +718 −0 ngrep.c
  17. +41 −0 ngrep.h
  18. +4,961 −0 regex.c
  19. +490 −0 regex.h
16 BUGS
@@ -0,0 +1,16 @@
Known bugs:
o RedHat-modified libpcap issue
This is not a bug, but a "feature" of the RedHat-modified
libpcap (included in at least RedHat 6.2). Apparently,
specifying a filter to the library is a programmatic
requirement, whether the bpf expression is empty or not.
This issue is verified by running ngrep without a bpf filter
expression and not observing any traffic when traffic is known
to exist.
Uninstall RedHat's modified libpcap, and replace with the
latest libpcap, located at: ftp://ftp.ee.lbl.gov/libpcap.tar.Z
76 CHANGES
@@ -0,0 +1,76 @@
v1.38
o binary matching
o windows compilation support
o 64-bit clean patch to regex.c
o dump and replay pcap_dump files
o officially licensed under the BSD license
o normal and diff/delta timestamps
v1.37
o added FDDI support
v1.36
o added -l (line buffer stdout)
o a few optimizations were made to shave off some cpu cycles
spent on processing each packet
o fixed bug where the blank regex algorithm wasn't even being
used
o fixed bug in blank regex algorithm that was preventing '-n'
from working
o change to compile on LinuxPPC
o change to nix potential warnings on other OSes
o change to not exit if pcap_lookupnet fails
v1.35
o appears that the release of 1.34 had only one of the
match optimizations: somehow only the tcp match was updated;
udp change was omitted. fixed.
o moved -v (version) to -V
o added -v (grep -v), invert match
o added -d lo (null linktype)
o added ability to match proto icmp
o updated configure.in to handle old installations of pcap
more gracefully (i.e. continue on by adding the necessary
defines and just gripe)
v1.34
o merged in patch from Andrew W. Flury <aflury@nas.nasa.gov>
for hex printing, made minor modification to patch to not
print off the end of the buffer
o added an optimization for the case where no regex was
specified; should account for a little speed up
v1.33
o fragment changes, this should be it
v1.32
o switched around regex -w/-i logic
o fragment bugfixes
v1.31
o added -A (match after)
o Makefile.in changes
o configure.in changes for solaris
o added manpage (ngrep.8)
v1.30
o bugfix: wasn't malloc'ing enough for word_regex
o bugfix: case-insensitive was tolower()ing the word_regex
itself
v1.29
o added -e (show empty)
o one or two safe, preemptive changes catching possible int
overflows
v1.28
o added -n
o no required arguments anymore
o regex's are not required anymore, can just be bpf logic
o probably a bugfix or two
@@ -0,0 +1,37 @@
Copyright (c) 2000 Jordan Ritter. All rights reserved.
Permission is granted to anyone to use this software for any purpose on
any computer system, and to alter it and redistribute it, subject
to the following restrictions:
1. The origin of this software must not be misrepresented, either by
explicit claim or by omission. Since few users ever read sources,
credits must also appear in the documentation.
2. Altered versions must be plainly marked as such, and must not be
misrepresented as being the original software. Since few users
ever read sources, credits must also appear in the documentation.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgement: This product
includes software developed by Jordan Ritter.
4. The name of the Author may not be used to endorse or promote
products derived from this software without specific prior written
permission.
5. This notice, and any references to this notice in the source,
documentation, or binary, may not be removed or altered.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 CREDITS
@@ -0,0 +1,34 @@
Author of ngrep:
Jordan Ritter <jpr5@darkridge.com>
Use of couch whilst conceiving of the concept:
Dave Goldsmith <dhg@ksrt.org> and
Window Snyder <ws@ksrt.org>
Porting of ngrep to Win32:
Mike <mike@eEye.com>
64-bit clean regex.c patch:
Jeff <yaway@hotmail.com>
Hexdump patch:
Andrew W. Flury <aflury@nas.nasa.gov>
Elite ideas and loads of licensing advice:
Dan Frasnelli <dfrasnel@corewar.com> and
cstone <cstone@pobox.com>
Use of OSF/1 box and DDoS research:
Dave Dittrich <dittrich@cac.washington.edu>
Compilation patches:
dugsong <dugsong@monkey.org>
17 INSTALL
@@ -0,0 +1,17 @@
Installation Guide
------------------
For most, installation of ngrep will be as simple as typing:
% ./configure ; make
Those of you looking for the quick way out, there you have it. Keep
in mind, you need libpcap installed before you can compile ngrep. You
can get it at ftp://ftp.ee.lbl.gov/libpcap.tar.Z.
If you still have problems compiling or are compiling on an
unsupported OS, try playing with other build types -- i.e. if you have
a BSD derived system, try the BSD build type. Otherwise, email the
author.
Sparse, I know.
@@ -0,0 +1,56 @@
#
# $Id$
#
# Copyright (c) 2000 Jordan Ritter <jpr5@darkridge.com>
#
# Please refer to the COPYRIGHT file for more information.
CC=@CC@
INCLUDES=-I@srcdir@ @PCAP_INCLUDE@
CFLAGS=@CFLAGS@ @DEFS@
LIBS=-lpcap @EXTRA_LIBS@
SRC=ngrep.c regex.c
OBJS=ngrep.o regex.o
TARGET=ngrep
MANPAGE=ngrep.8
INSTALL=./install-sh
BINDEST=@prefix@/bin
MANDEST=@prefix@/man/man8
all: $(TARGET)
$(TARGET): $(OBJS)
$(CC) $(CFLAGS) -s -o $(TARGET) $(OBJS) $(LIBS)
debug: $(OBJS)
$(CC) $(CFLAGS) -g -o $(TARGET) $(OBJS) $(LIBS)
static: $(OBJS)
$(CC) $(CFLAGS) -s -static -o $(TARGET).static $(OBJS) $(LIBS)
install: $(TARGET)
$(INSTALL) -c -m 0755 $(TARGET) $(BINDEST)
$(INSTALL) -c -m 0644 $(MANPAGE) $(MANDEST)
.c.o:
$(CC) $(CFLAGS) $(INCLUDES) -g -c $<
dep:
@echo making dependencies...
@$(CXX) $(INCLUDES) -M -MG $(SRC) > .depends
clean:
rm -f *~ $(OBJS) $(TARGET)
distclean: clean
rm -f config.status config.cache config.log Makefile .depends
ngrep.o: ngrep.c ngrep.h
regex.o: regex.c regex.h
-include .depends
105 README
@@ -0,0 +1,105 @@
Program: ngrep
Author: Jordan Ritter <jpr5@darkridge.com>
Version: 1.38 (6.21.2000)
Goal:
A program that mimicks as much functionality in GNU grep as
possible, applied at the network layer.
Description:
ngrep strives to provide most of GNU grep's common features,
applying them to the network layer. ngrep is a pcap-aware tool that
will allow you to specify extended regular expressions to match
against data payloads of packets. It currently recognizes TCP, UDP
and ICMP across Ethernet, PPP, SLIP and null interfaces, and
understands bpf filter logic in the same fashion as more common
packet sniffing tools, such as tcpdump and snoop.
Usage:
ngrep <-hXViwqevxlDtT> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<match expression> <bpf filter>
-h is help/usage
-X is interpret match expression as hexadecimal
-V is version information
-i is ignore case
-w is word-regex (expression must match as a word)
-q is be quiet
-e is show empty packets
-v is invert match
-x is print in alternate hexdump format
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
-I is dump matched packets in pcap format to pcap_dump
-O is read packet stream from pcap format file pcap_dump
-n is look at only num packets
-d is use a device different from the default (pcap)
-A is dump num packets after a match
<match expression> is either an extended regular expression or a
hexadecimal string. see the man page for more
information.
<bpf filter> is any bpf filter statement.
Tips:
o When the intention is to match all packets (i.e. blank regex), it
is technically faster to use an empty regex, '', than to use '.*'
or '*'.
o Always try to craft a BPF filter; this is doubly important on
interfaces that are very busy and are seeing large amounts of
packets. The parser takes a certain amount of time, and while
negligible on a slow interface, it can add up very quickly on a
busy one.
o Hexadecimal expressions can be in straight numeric form,
'DEADBEEF', or in symbolic form, '0xDEADBEEF'. A byte is the
smallest unit of measure you can match against.
o As of v1.28, ngrep doesn't require a match expression. There are
cases where it will be confused and think part of your bpf filter
is the match expression, as in:
% ngrep not port 80
interface: eth0 (192.168.1.0/255.255.255.0)
filter: ip and ( port 80 )
match: not
In cases like this, you will need to specify a blank match expression:
% ngrep '' not port 80
interface: eth0 (192.168.1.0/255.255.255.0)
filter: ip and ( not port 80 )
Known Working Platforms:
o Linux 2.0, 2.2, 2.3 --
(RH6+, SuSE, TurboLinux, Debian)/x86
RedHat/alpha
Debian/powerpc
Cobalt (Qube2) Linux/MIPS
o Solaris 2.5.1, 2.6/SPARC, Solaris 7
o FreeBSD 2.2.5, 3.1, 3.2, 3.4-RC, 3.4-RELEASE, 4.0
o OpenBSD 2.4 (after upgrading pcap from 0.2)
o Digital Unix V4.0D (OSF/1)
Miscellany:
Please see the CREDITS file for a listing of the people who helped
make ngrep what it is today. Also, please note that ngrep is
released under a BSD-style license, though it currently relies upon
the GNU regex library, which is protected under the GPL.
15 TODO
@@ -0,0 +1,15 @@
Todo:
o add non-ip protocols (IPX and Appletalk are up next, maybe NetBeui?)
o add flag to specify packet flags (supported by bpf filters,
but under consideration)
o switch to pcre for regex support (under consideration)
o -T == display time diff from start (completed)
o replay should use timestamp stored in file to sleep packet
delays (completed)
o add "Extra info", i.e. display ToS, seq, id, etc.
21 USAGE
@@ -0,0 +1,21 @@
Examples:
o ngrep -qd eth1 'HTTP' tcp port 80
Be quiet, look only at tcp packets with either source or dest port
80 on interface eth1, look for anything matching 'HTTP'.
o ngrep -qd le0 port 53
Watch all tcp and udp port 53 (nameserver) traffic on interface
le0. Be quiet.
o ngrep 'USER|PASS' tcp port 21
Look only at tcp packets with either source or dest port 21, look
for anything resembling an FTP login.
o ngrep -wiA 2 'user|pass' tcp port 21
Alternatively, match either 'user' or 'pass' case insensitively,
and dump the next 2 packets following (that match the bpf filter).
Oops, something went wrong.

0 comments on commit eaf581b

Please sign in to comment.