Ngrep on OSX

Posted by seon on Monday, September 03

I’ve replaced tcpmon with ngrep as my tool of preference for debugging service interaction while working with Mule. Tcpmon required modifications to service configurations in order pass data through the tcpmon proxies for monitoring. However ngrep is transparent and doesn’t require these configuration changes. It has a simple and fast text interface. No complicated gui to navigate. The output can be piped to grep or saved to file. Run on *nix and Win32. Sweet!

On OSX (version 10.4.10) I decided to compile and install the latest ngrep using the following steps…

1
2
3
4
5
6
7


wget http://prdownloads.sourceforge.net/ngrep/ngrep-1.45.tar.bz2?download
tar -jxvf ngrep-1.45.tar.bz2
cd ngrep-1.45
./configure --prefix=/usr/local
make
sudo make install

I use ifconfig to determine the interface I want to monitor with ngrep…

1
2
3
4
5
6
7
8
9


ifconfig

en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::216:cbff:feb7:5de%en1 prefixlen 64 scopeid 0x5 
        inet 172.16.1.3 netmask 0xffffff00 broadcast 172.16.1.255
        ether 00:16:cb:b7:05:de 
        media: autoselect status: active
        supported media: autoselect

Then startup ngrep on eth1 monitoring port 80. The -Wbyline detects linebreaks in the packet data…

1
2
3
4
5


sudo ngrep -Wbyline -d en1 port 80
Password:
interface: en1 (172.16.1.0/255.255.255.0)
filter: (ip) and ( port 80 )

Example ngrep output…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54


####
T 172.16.1.3:57867 -> a.b.c.d:80 [AP]
GET /usage.html HTTP/1.1.
Host: ngrep.sourceforge.net.
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6.
Accept: HTTP Accept=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5.
Accept-Language: en-us,en;q=0.5.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Referer: http://ngrep.sourceforge.net/.
Cookie: __utmz=191645736.1188003977.1.1.utmccn=(referral)|utmcsr=jibx.sourceforge.net|utmcct=/mail-lists.html|utmcmd=referral; __utma=191645736.2030039243.1188003977.1188003977.1188003977.1.
.

##
T a.b.c.d:80 -> 172.16.1.3:57867 [A]
HTTP/1.0 200 OK.
Date: Mon, 03 Sep 2007 21:43:32 GMT.
Server: Apache/1.3.33 (Unix) PHP/4.3.10.
Last-Modified: Thu, 24 Feb 2005 04:41:08 GMT.
ETag: "219bb8-4827-421d5ae4".
Accept-Ranges: bytes.
Content-Length: 18471.
Content-Type: text/html.
X-Cache: MISS from sims.sofast.net.
Connection: keep-alive.
.
<?xml version="1.0" encoding="UTF-8"?>
<!doctype html public "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head><title>ngrep - network grep</title>
</head>

<style>

body {
text-align: center;
padding: 20px;
margin: 0;
background: #888;
color: #000;
font: 10px/15px verdana, geneva, helvetica, arial, sans-serif;
}

h2 {
text-align: center;
margin: auto;
width: 600px;
}

...snip...
Comments

Leave a response

Comment