See who’s doing what, with a grep for your network interface.
The
ngrep (http://www.packetfactory.net/Projects/ngrep)
utility is an interesting packet capture tool, similar to
[Hack #37] and [Hack #38]. It
is unique in that it attempts to make it as easy as possible to match
which captured packets to print, by using a grep-compatible format
(complete with
regular expressions and a bunch
of GNU grep’s switches). It also converts the
packets to ASCII (or hex) before printing.
For example, to see the contents of all HTTP GET requests that pass through your router, try this:
# ngrep -q GETIf you’re interested only in a particular host, protocol, or port (or other packet matching criteria), you can specify a bpf filter as well as a data pattern. It uses a syntax similar to tcpdump:
# ngrep -qi [email protected] port 25
T 10.42.4.7:65174 -> 209.204.146.26:25 [AP]
RCPT TO:..
T 209.204.146.26:25 -> 10.42.4.7:65174 [AP]
250 2.1.5 ... Recipient ok..
T 10.42.4.7:65174 -> 209.204.146.26:25 [AP]
Date: Sun, 8 Sep 2002 23:55:18 -0700..Mime-Version: 1.0 (Apple Message fram
ework v543)..Content-Type: text/plain; charset=US-ASCII; format=flowed..Sub
ject: Greetings.....From: John Doe ..To: [email protected]
coding: 7bit..Message-Id: ..X-Mailer: Apple Mail v2)....What does t
hat pgp command you mentioned do again?....Thanks,....--A Friend....
Since
ngrep prints to STDOUT, you can do
post-processing on the output to make a nice printing filter. If you
process the output yourself, add the -l switch to
make the output line buffered.
If you’re interested in what people on the local wireless network are searching for online, try something like this bit of Perl:
#!/usr/bin/perl
use Socket;
$|++;
open(NG,"ngrep -d en1 -lqi '(GET|POST).*/(search|find)' |");
print "Go ogle online.
";
my ($go,$i) = 0;
my %host = ( );
while( ) {
if(/^T (d+.d+.d+.d+):d+ -> (d+.d+.d+.d+):80/) {
$i = inet_aton($1);
$host{$1} ||= gethostbyaddr($i, AF_INET) || $1;
$i = inet_aton($2);
$host{$2} ||= gethostbyaddr($i, AF_INET) || $2;
print "$host{$1} -> $host{$2} : ";
$go = 1;
next;
}
if(/(q|p|query|for)=(.*)?(&|HTTP)/) {
next unless $go;
my $q = $2;
$q =~ s/(+|&.*)/ /g;
$q =~ s/%(w+)/chr(hex($1))/ge;
print "$q
";
$go = 0;
}
else {
next unless $go;
$go = 0;
print "
";
}
}I call the script go-ogle. This runs an
ngrep looking for any
GET or POST request that
includes search or find
somewhere in the URL. Save the code to a file called
go-ogle.pl and invoke it on the command line.
The results look something like this:
# perl go-ogle.pl
Go ogle online.
caligula.nocat.net -> www.google.com : o'reilly mac os x conference
caligula.nocat.net -> s1.search.vip.scd.yahoo.com : junk mail $$$
tiberius.nocat.net -> altavista.com : babel fish
caligula.nocat.net -> 166-140.amazon.com : Brazil
livia.nocat.net -> 66.161.12.119 : lart
It will very lazily
unescape encoded strings in the query (note the '
in the Google query, and the $$$ from Yahoo!). It
will also convert
IP addresses to
hostnames for you (since ngrep
doesn’t seem to have this feature, probably so it
can optimize capturing for speed). The last two results are
interesting: the “Brazil” query was
actually run on http://www.imdb.com/, and the last one was to
http://www.dictionary.com/.
Evidently IMDB is now in a partnership with Amazon, and
Dictionary.com’s search machine
doesn’t have a PTR record. It’s
amazing how much you can learn about the world by watching other
people’s packets.
Note that you must be root to run ngrep; for
best results it should be run from the router at the edge of your
network or from any wireless client associated with a busy
AP.