beautiful network monitoring

Stefan — Fri, 27 Jun 2008 17:10:00 +0200

Monitoring networks with tcpdump works fine, but even in quiet mode tcpdump outputs too much information if you’re interested in application layer protocols like HTTP or IMAP. A nice alternative on the command line is ngrep which has a much more readable output. ngrep filters all tcp packets with an empty data part and strips the header of non-empty tcp packets. The only beauty flaw in my eyes is the dot ngrep inserts for every tab and for every carriage return. In my opinion it should offer an option to specify the tabulator size and just ignore the carriage returns.

But see for yourself, here the tcpdump output of an IMAP session,

$ sudo tcpdump -i en1 -A -s 0 -qtn port imap
tcpdump: verbose output suppressed,
use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet),
capture size 65535 bytes
IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..@..@.@.......P..N.|...7.n........Go.............
/!..........
IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 0
E..<..@.9...P..N.......|.....7.o...............
w.A./!......
IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..4..@.@.......P..N.|...7.o...............
/!..w.A.
IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 21
E..I..@.9...P..N.......|.....7.o...........
w.A./!..* OK Dovecot ready.

IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..4.P@.@..j....P..N.|...7.o...............
/!..w.A.
IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 33
E..U.8@.@..`....P..N.|...7.o...............
/!.2w.A.1 LOGIN foo@bar.net password

IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 0
E..4..@.9...P..N.......|.....7.......<.....
w.F'/!.2
IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 17
E..E..@.9...P..N.......|.....7......c......
w.F./!.21 OK Logged in.

IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..4.0@.@.......P..N.|...7.....?.....D.....
/!.>w.F.
IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 14
E..B.#@.@.......P..N.|...7.....?...........
/!.cw.F.1 LIST """%"

IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 0
E..4..@.9...P..N.......|...?.7.............
w.H./!.c
IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 513
E..5..@.9...P..N.......|...?.7.............
w.H./!.c* LIST (\HasChildren) "." "Trash"
* LIST (\HasNoChildren) "." "Sent"
* LIST (\HasNoChildren) "." "Spam"
* LIST (\HasNoChildren) "." "Sent Messages"
* LIST (\HasNoChildren) "." "Drafts"
* LIST (\HasNoChildren) "." "Spamtraining"
* LIST (\HasNoChildren) "." "Hamtraining"
* LIST (\HasNoChildren) "." "Spamtesting"
* LIST (\HasNoChildren) "." "Hamtesting"
* LIST (\HasNoChildren) "." "Deleted Messages"
* LIST (\HasNoChildren) "." "Spamverdacht"
* LIST (\HasNoChildren) "." "INBOX"
1 OK List completed.

IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..4]'@.@.8.....P..N.|...7.....@...........
/!.cw.H.
IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 10
E..>.L@.@..c....P..N.|...7.....@.....N.....
/!..w.H.1 LOGOUT

IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 19
E..G..@.9...P..N.......|...@.7.............
w.IP/!..* BYE Logging out

IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..4.I@.@..p....P..N.|...7.....S.....%.....
/!..w.IP
IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 24
E..L..@.9...P..N.......|...S.7.............
w.IP/!..1 OK Logout completed.

IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..4C#@.@.R.....P..N.|...7.....l...........
/!..w.IP
IP 192.168.2.22.50556 > 80.237.145.78.143: tcp 0
E..4.;@.@.......P..N.|...7.....l...........
/!..w.IP
IP 80.237.145.78.143 > 192.168.2.22.50556: tcp 0
E..4..@.9...P..N.......|...l.7.......j.....
w.IQ/!..

20 packets captured
28 packets received by filter
0 packets dropped by kernel

compared with the corresponding ngrep output.

$ sudo ngrep -d en1 -W byline port imap
interface: en1 (192.168.2.0/255.255.255.0)
filter: (ip) and ( port imap )
####
T 80.237.145.78:143 -> 192.168.2.22:50556 [AP]
* OK Dovecot ready..

##
T 192.168.2.22:50556 -> 80.237.145.78:143 [AP]
1 LOGIN foo@bar.net password.

##
T 80.237.145.78:143 -> 192.168.2.22:50556 [AP]
1 OK Logged in..

##
T 192.168.2.22:50556 -> 80.237.145.78:143 [AP]
1 LIST """%".

##
T 80.237.145.78:143 -> 192.168.2.22:50556 [AP]
* LIST (\HasChildren) "." "Trash".
* LIST (\HasNoChildren) "." "Sent".
* LIST (\HasNoChildren) "." "Spam".
* LIST (\HasNoChildren) "." "Sent Messages".
* LIST (\HasNoChildren) "." "Drafts".
* LIST (\HasNoChildren) "." "Spamtraining".
* LIST (\HasNoChildren) "." "Hamtraining".
* LIST (\HasNoChildren) "." "Spamtesting".
* LIST (\HasNoChildren) "." "Hamtesting".
* LIST (\HasNoChildren) "." "Deleted Messages".
* LIST (\HasNoChildren) "." "Spamverdacht".
* LIST (\HasNoChildren) "." "INBOX".
1 OK List completed..

##
T 192.168.2.22:50556 -> 80.237.145.78:143 [AP]
1 LOGOUT.

#
T 80.237.145.78:143 -> 192.168.2.22:50556 [AP]
* BYE Logging out.

##
T 80.237.145.78:143 -> 192.168.2.22:50556 [AFP]
1 OK Logout completed..

28 received, 0 dropped

"beautiful network monitoring" by Alex

Fri, 27 Jun 2008 18:54:10 +0200

ngrep kannte ich noch nicht. Danke für den Tipp.

loopkid: beautiful network monitoring

beautiful network monitoring

"beautiful network monitoring" by Alex