Recent changes to support-requests

#5 ngrep and linux 3.x kernels

Tim Sailer — Tue, 11 Feb 2014 20:44:09 -0000

ngrep -i -t -q -l -d eth1 'get|post|put|delete' 'dst port 80'

if I change the BPF to 'vlan and (dst port 80)' I get nothing. Without the vlan checking, the first few bytes of the packet are nostly non-printable characters. I cna send you a small (few k) of the output from 'good' and 'bad' sessions... I don't want to have to sanitize them to post them up here.

#5 ngrep and linux 3.x kernels

Tim Sailer — Tue, 11 Feb 2014 20:35:31 -0000

Oh... I'm using ngrep 1.46 CSV as that has the support for vlans.

#5 ngrep and linux 3.x kernels

Jordan Ritter — Tue, 11 Feb 2014 20:34:57 -0000

Thanks for the helpful info! I really appreciate the effort.

I had hoped this might just be a pcap issue, but it looks like I added some manual VLAN support
back in commit 24600b6b: https://github.com/jpr5/ngrep/commit/24600b6b So that's a good starting point for me.

What cmdline options are you passing to ngrep? Any BPF filter? etc.

Also, can you clarify "can't grok"? Do you mean ngrep sees the packets (dot emitted) but doesn't detect, or doesn't see the packets at all, or?

#5 ngrep and linux 3.x kernels

Tim Sailer — Tue, 11 Feb 2014 20:23:10 -0000

I have compiled against libpcap-1.0.0 through libpcap-1.5.0. No difference.
I've been testing on Debian and Ubuntu, most recently Debian 6 and Ubuntu 12.04.

I created a staticly linked binary, and tested it on both current Debian and Ubuntu, with the 'broken' behaviour. I moved the binary to an older Debian box still running a 2.6.x kernel, and it worked perfectly.

#5 ngrep and linux 3.x kernels

Jordan Ritter — Tue, 11 Feb 2014 17:23:11 -0000

Thanks for the report.

Can you confirm which distribution, version of libpcap and ngrep you're using? Are you passing any special options on the cmdline?

ngrep and linux 3.x kernels

Tim Sailer — Tue, 11 Feb 2014 17:19:11 -0000

I'm not sure if this project is still being maintained. If not, that's too bad.

The issue is that with the 3.x versions of the Linux kernel, vlan handling has changed dramatically. ngrep no longer can grok vlan tagged packets. Would it be possible to get this functionality repaired?

hrbrid hex/ascii mode?

Anonymous — Wed, 18 Jun 2008 01:32:38 -0000

Hi there

I'm a very keen ngrep user and routinely use "-W single" plus perl's regex power to create "poor mans IDS" scripts for specific things. Works well.

However, the fact that all the non-ASCII chars are replaced with '.' is a bit of a limitation. e.g. if I'm trying to capture NetBIOS filenames in packets (which are mainly in Unicode now), I see "dir\filename.txt" as "d.i.r.\.f.i.l.e.n.a.m.e...t.x.t.".

What I'd love to see is a "-W singleENC" option - where all the non-ASCII were converted

e.g. the above filename could be "d\0i\0r\0\\\0f\0i\0\l\0\e\0name.txt" (you get the idea ;-)

Then it'd be easier for me to distinguish real period chars from non-ASCII for starters, as well as being able to actually match on non-ASCII when I need to.

Thanks!

Jason

ngrep -d any claims invalid device index

Capt. Jean-Luc Pikachu — Wed, 14 Mar 2007 16:31:56 -0000

The worst part is that it says there's no error o_O Any idea what I'm doing wrong? Thanks in advance

C:\ngrep>ngrep -d any
invalid device index: No error

RedHat 9 problems

Anonymous — Sat, 01 Nov 2003 15:08:29 -0000

1.4X versions do not work on redhat 9, gives
segmentation fault wether it's the static or the compiled
version. 1.3X works with the static or compiled..
What's the difference?