commit 3cb4c580a9de4afe11c2c17b0f354b59b74ae974
parent 35527b42bca51985385a3e8a005abbfd8faaf6dd
Author: Jordan Ritter <jpr5@darkridge.com>
Date: Thu, 7 Sep 2017 11:01:34 -0700
Update, simplify, and markdown-ify docs
Diffstat:
| A | CHANGES | | | 308 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| R | doc/CREDITS.txt -> CREDITS | | | 0 | |
| A | EXAMPLES.md | | | 366 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | INSTALL | | | 83 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| R | LICENSE.txt -> LICENSE | | | 0 | |
| A | README.md | | | 83 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| D | doc/CHANGES.txt | | | 296 | ------------------------------------------------------------------------------- |
| D | doc/INSTALL.txt | | | 85 | ------------------------------------------------------------------------------- |
| D | doc/README.txt | | | 154 | ------------------------------------------------------------------------------- |
9 files changed, 840 insertions(+), 535 deletions(-)
diff --git a/CHANGES b/CHANGES
@@ -0,0 +1,308 @@
+v1.47
+
+ o Fix "no VLAN support for XXX"-related problems
+
+ o Fix truncated/garbled output (e.g. SIP over SLL/Linux cooked sockets)
+
+ o Change exit behavior to match BSD & GNU grep (see manpage)
+
+ o Add Solaris IPnet support
+
+ o Update to use 32bit values where relevant
+
+ o Emit frame # in header, useful for reference/analysis
+
+ o Emit total received, matched upon exit (dropped unreliable PCAP stats)
+
+ o Import debian patches related to autotools, manpage, and compilation
+ on other platforms
+
+ o Fix build clean/distclean when not linked against provided GNU regex
+
+ o Fix build --enable/--disable flag processing
+
+ o Fix building under MS VS2012 / Win32
+
+ o Update to latest autotools (2017)
+
+v1.46.1
+
+ o actual bugfix for the VLAN parsing issue. prior version 1.46 expanded
+ the BPF filter to include IPv4/6 traffic, but the offset calculation
+ forgot to account for the variable presence of VLAN headers. now
+ ngrep detects VLAN frames in every packet and adjusts the offset on
+ the fly.
+
+v1.46
+
+ o configure.in: re-organized, in part to sync with downstream patches
+ (which were never sent upstream)
+
+ o configure.in: removed included PCRE library, now builds against system
+ version when specified (default is included GNU Regex)
+
+ o configure.in: fixed duplicate PCAP header check, which broke with the
+ release of libpcap 1.0
+
+ o configure.in: prefixed all tack-on autoconf variables from _FOO -> EXTRA_FOO
+
+ o Makefile.in: capitulated to Debian: use tar.gz instead of tar.bz2 :-(
+
+ o ngrep.c: Call setlocale to make isprint() work based on current
+ locale. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307496++
+
+ o include tcpkill functionality (-K), a long-standing downstream patch
+ under Debian
+
+ o updated to latest autoconf
+
+ o updated copyrights to 2014
+
+v1.45
+
+ o fixed bug where setting the snaplen smaller than the minimum
+ necessary to read the full headres would cause garbage to be
+ fed into the pattern matcher
+
+ o fixed unreported bug in IPv6/TCP packet length calculation
+
+ o relocated the privilege-dropping routine to be invoked right
+ before entering the packet processing loop, to prevent
+ interference with necessary permissions to read or write
+ dumpfiles/etc.
+
+ o fixed integer overflow with the snaplen that resulted from
+ an implicit signed/unsigned conversion
+
+ o minor change to compensate for some broken compiler
+ optimizers
+
+ o fixed double-free race condition during ngrep termination
+
+ o reworked packet length calculation in the main processing
+ loop, improving performance and readability
+
+ o simplified regex build logic in configure and Makefile
+
+ o updated Win32 version to use config.h for preprocessor
+ definitions instead of the Visual Studio project files,
+ making manual tweaking and config of ngrep for Win32
+ consistent with *NIX and more obvious
+
+ o changed third-party Makefiles to properly clean up after
+ themselves
+
+ o added support for radiotap (IEEE802_11_RADIO)
+
+ o changed ``-s 0'' invocation to mimic the equivalent of tcpdump
+
+v1.44
+ o added post-config section to configure: emit important
+ config option settings that weren't previously indicated
+
+ o for BSD platforms, only emit pcap_restart warning from
+ configure if ``--disable-pcap-restart'' hasn't been
+ specified
+
+ o added IPv6 and ICMPv6 support (all platforms); disabled by
+ default for common case where libpcap wasn't compiled with
+ IPv6 support
+
+ o added support for displaying protocol number (``-N''),
+ useful for when observing raw packets
+
+ o added support for new display method ``single'', similar to
+ ``byline'' but both header and data occupy one single line
+
+ o introduced multiple levels of quiet (``-q''); the more it is
+ specified the more quiet ngrep becomes
+
+ o reorganization of some internal support headers and core
+ code to eliminate redundancy, improve readability and
+ efficiency, and support new features
+
+ o changed all integer types to be bit- and sign-explicit
+
+v1.43
+ o healed the win32 code fork: ngrep now builds from the same
+ source tree for all platforms including Windows
+
+ o re-wrote the privilege revocation logic after problems were
+ reported with the SPC version, and removed non-root
+ drop_privs capability altogether
+
+ o fix off-by-one bug which caused ngrep to exit 1 packet early
+ when ``-A'' as invoked
+
+ o Fixed problematic configtest for old broken-redhat-glibc UDP
+ header
+
+ o ngrep now sets a pcap filter "ip" by default, if one is not
+ specified
+
+ o header offset fix to 802.11 processing
+
+ o support IGMP and Raw (unknown IP protocol) type packets
+
+ o support for latest versions of libpcap (0.8.3) and winpcap
+ (3.1 beta 4)
+
+ o updated configure to autoconf 2.59, and config.guess and
+ config.sub to latest versions
+
+ o updated PCRE from 3.4 to 5.0
+
+ o and various minor changes and updates to improve ngrep
+
+v1.42
+ o rewrote the entire configure.in/config.h.in to autoconf 2.57
+ to be more consistent with normal autoconf'd programs.
+ corrects bugs around packaging impediments and typos
+
+ o improved privilege dropping code and added more options to
+ configure to govern its behaviour
+
+ o added flag to turn off privilege revocation logic
+
+ o added multiline match as default and ability to enforce
+ previous default single-line match (bugfix + feature)
+
+ o added ability to read bpf filter expression from file
+
+ o added ability to force the column width to a certain size
+
+ o added two new output modes: ``byline'', whose output
+ respects embedded carriage returns (useful for http dumps),
+ and ``none'', which prints out each dump as a single line no
+ matter what
+
+ o added ability to specify alternate nonprintable character
+ (default is ``.'')
+
+ o made ``-q'' effects more consistent and usable for scenarios
+ where ``-I'' and/or ``-O'' are being employed
+
+ o documentation updated
+
+v1.41
+ o added -S (set limitlen)
+ o added LOOP and SLL tests for portability/old libpcap'en
+ o added configure --safe-user and dropprivs code
+ o added TCP ECN congestion header recognition
+ o improved support for a few OSes
+ o relaxed some restrictions in the license (COPYRIGHT -> LICENSE)
+ o 802.11 support
+
+v1.40.1
+ o MacOS X support
+ o ISDN (SLL) support
+ o OpenBSD tun device support
+ o updated configure.in to support specifying pcap directory
+ o updated config.sub and config.guess
+ o added scripts/multi.pl, parallel ngrep perl script
+ o very minor change to documentation
+
+v1.40
+ o license change, amends the BSD advertising clause
+ o fixed bug from not considering caplen in payload length
+ calculations
+ o added -s (set bpf caplen)
+ o fixed header include for linux glibc 2.2 (time.h wasn't
+ being included)
+
+v1.39.2
+ o typographical error, -p works now
+
+v1.39.1
+ o added in AIX includes
+ o added BSD* includes for display updates
+ o added -p (don't go into promiscuous mode)
+
+v1.39
+ o in standard match mode, the display now updates when window
+ sizes change
+ o configure now gives the user the option to compile with the
+ pcre library, which is more license-friendly (albeit slower)
+ o fixed minor bug in date printing with -t
+ o added configure option '--without-restart', which will
+ remove the pcap restart API call. Newer versions of libpcap
+ don't need it, and on certain platforms the API call
+ segfaults
+ o win32: compiled with winpcap's pcap.h, which apparently
+ breaks the pcap standard and introduces its own data link
+ layer types. fixes the 'unsupported interface' error folks
+ sometimes got when used with a 100bT adapter
+
+v1.38
+ o binary matching
+ o windows compilation support
+ o 64-bit clean patch to regex.c
+ o dump and replay pcap_dump files
+ o officially licensed under the BSD license
+ o normal and diff/delta timestamps
+
+v1.37
+ o added FDDI support
+
+v1.36
+ o added -l (line buffer stdout)
+ o a few optimizations were made to shave off some cpu cycles
+ spent on processing each packet
+ o fixed bug where the blank regex algorithm wasn't even being
+ used
+ o fixed bug in blank regex algorithm that was preventing '-n'
+ from working
+ o change to compile on LinuxPPC
+ o change to nix potential warnings on other OSes
+ o change to not exit if pcap_lookupnet fails
+
+v1.35
+ o appears that the release of 1.34 had only one of the
+ match optimizations: somehow only the tcp match was updated;
+ udp change was omitted. fixed
+ o moved -v (version) to -V
+ o added -v (grep -v), invert match
+ o added -d lo (null linktype)
+ o added ability to match proto icmp
+ o updated configure.in to handle old installations of pcap
+ more gracefully (i.e. continue on by adding the necessary
+ defines and just gripe)
+
+v1.34
+ o merged in patch from Andrew W. Flury <aflury@nas.nasa.gov>
+ for hex printing, made minor modification to patch to not
+ print off the end of the buffer
+ o added an optimization for the case where no regex was
+ specified; should account for a little speed up
+
+v1.33
+ o fragment changes, this should be it
+
+v1.32
+ o switched around regex -w/-i logic
+ o fragment bugfixes
+
+v1.31
+ o added -A (match after)
+ o Makefile.in changes
+ o configure.in changes for solaris
+ o added manpage (ngrep.8)
+
+v1.30
+
+ o bugfix: wasn't malloc'ing enough for word_regex
+ o bugfix: case-insensitive was tolower()ing the word_regex
+ itself
+
+v1.29
+
+ o added -e (show empty)
+ o one or two safe, preemptive changes catching possible int
+ overflows
+
+v1.28
+
+ o added -n
+ o no required arguments anymore
+ o regex's are not required anymore, can just be bpf logic
+ o probably a bugfix or two
diff --git a/doc/CREDITS.txt b/CREDITS
diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -0,0 +1,366 @@
+Some helpful tips:
+
+ * When the intention is to match all packets (i.e. blank regex), it is
+ technically faster to use an empty regex (`''`) than to use a wildcard
+ (e.g. `'.*'`, `'*'`).
+
+ * When sniffing interfaces that are very busy or are seeing large amounts of
+ packet traffic, make sure to craft a BPF filter to limit what PCAP has to
+ deliver to ngrep. The ngrep parser takes a certain amount of time and while
+ negligible on a slow interface, it can add up very quickly on a busy one.
+
+ * Hexadecimal expressions can be in straight numeric form, 'DEADBEEF', or in
+ symbolic form, '0xDEADBEEF'. A byte is the smallest unit of measure you can
+ match against.
+
+ * As of v1.28, ngrep doesn't require a match expression. However, there are
+ cases where ngrep can be confused and think part of your bpf filter is the
+ match expression, as in:
+
+ ```
+ % ngrep not port 80
+ interface: eth0 (192.168.1.0/255.255.255.0)
+ filter: ip and ( port 80 )
+ match: not
+ ```
+
+ In cases like this, you will need to specify a blank match expression:
+
+ ```
+ % ngrep '' not port 80
+ interface: eth0 (192.168.1.0/255.255.255.0)
+ filter: ip and ( not port 80 )
+ ```
+
+## Basic Packet Sniffing
+
+Basic packet sniffing is easy with ngrep. It supports BPF filter logic, which
+means to say constraining what ngrep sees and displays is as easy as saying
+something like `ngrep host foo.bar.com and port 25`. Following are a few
+examples of common invocations of ngrep to do basic packet sniffing. Please
+note the usage of `any' as the specified ethernet adaptor to attach to; in most
+recent UNIX libpcap implementations this will instruct ngrep to attach to all
+interfaces at once, local (lo) and all external interfaces that may be active.
+
+* `ngrep -d any port 25`
+
+Monitor all activity crossing source or destination port 25 (SMTP).
+
+* `ngrep -d any 'error' port syslog`
+
+Monitor any network-based syslog traffic for the occurrence of the word "error".
+ngrep knows how to convert service port names (on UNIX, located in
+`/etc/services`) to port numbers.
+
+* `ngrep -wi -d any 'user|pass' port 21`
+
+Monitor any traffic crossing source or destination port 21 (FTP), looking
+case-insensitively for the words "user" or "pass", matched as word-expressions
+(the match term(s) must have non-alphanumeric, delimiting characters surrounding
+them).
+
+## Debugging HTTP interactions
+
+In certain scenarios it is desirous to see how web browsers communicate with web
+servers, and to inspect the HTTP headers and possibly cookie values that they
+are exchanging.
+
+In this example, we run an ngrep on a webserver. Since it only has
+one interface, eth0, we omit specifying the interface manually on the
+command line and allow ngrep to choose the default interface for us,
+for convenience.
+
+```
+# ngrep port 80
+interface: eth0 (64.90.164.72/255.255.255.252)
+filter: ip and ( port 80 )
+####
+T 67.169.59.38:42167 -> 64.90.164.74:80 [AP]
+ GET / HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i
+ 686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text/html, applicat
+ ion/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gi
+ f, image/x-xbitmap, */*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, *
+ ;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ
+ MSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection:
+ Keep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....
+##
+T 64.90.164.74:80 -> 67.169.59.38:42167 [AP]
+ HTTP/1.1 200 OK..Date: Mon, 29 Mar 2004 00:44:40 GMT..Server: Apache/2.0.49
+ (Unix)..Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT..ETag: "210e23-326-f8
+ 200b40"..Accept-Ranges: bytes..Vary: Accept-Encoding,User-Agent..Content-En
+ coding: gzip..Content-Length: 476..Keep-Alive: timeout=15, max=100..Connect
+ ion: Keep-Alive..Content-Type: text/html; charset=ISO-8859-1..Content-Langu
+ age: en..............}S]..0.|...........H...8........@..\....(.....Dw.%.,..
+ ;.k.....Y>q<........d ...........3.i..kdm.u@d{.Q..\....@..B1.0.2YI^..R.....
+ ....X......X..y...\.....,..(........1...g.......*...j..a.`._@.W....0.....?.
+ .R.K.j..Y.....>...;kw*U.j.<...\0Tn.l.:......>Fs....'....h.'...u.H4..'.6.vID
+ I.......N.r.O...}...I.w. ...mX...L.s..{.L.R..-...e....~nu..t.3...H..#..J...
+ .u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m}..>/?..#........I
+ ..I..4.P......2:...n8l.......!.Yr&...
+##
+```
+
+As you can see, all headers and aspects of the HTTP transmission are exposed in
+their gory detail. It's a little hard to parse though, so let's see what
+happens when `-W byline` mode is used:
+
+```
+# ngrep -W byline port 80
+interface: eth0 (64.90.164.72/255.255.255.252)
+filter: ip and ( port 80 )
+####
+T 67.169.59.38:42177 -> 64.90.164.74:80 [AP]
+GET / HTTP/1.1.
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ...
+Host: www.darkridge.com.
+Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9 ...
+Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1.
+Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0.
+Cookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e.
+Cookie2: $Version=1.
+Cache-Control: no-cache.
+Connection: Keep-Alive, TE.
+TE: deflate, gzip, chunked, identity, trailers.
+.
+
+##
+T 64.90.164.74:80 -> 67.169.59.38:42177 [AP]
+HTTP/1.1 200 OK.
+Date: Mon, 29 Mar 2004 00:47:25 GMT.
+Server: Apache/2.0.49 (Unix).
+Last-Modified: Tue, 04 Nov 2003 12:09:41 GMT.
+ETag: "210e23-326-f8200b40".
+Accept-Ranges: bytes.
+Vary: Accept-Encoding,User-Agent.
+Content-Encoding: gzip.
+Content-Length: 476.
+Keep-Alive: timeout=15, max=100.
+Connection: Keep-Alive.
+Content-Type: text/html; charset=ISO-8859-1.
+Content-Language: en.
+.
+..........}S]..0.|...........H...8........@..\....(.....Dw.%.,..;.k.. ...
+.;kw*U.j.<...\0Tn.l.:......>Fs....'....h.'...u.H4..'.6.vIDI.......N.r ...
+..H..#..J....u.?..]....^..2.....e8v/gP.....].48...qD!..........#y...m ...
+####
+```
+
+(Content visually truncated for display purposes.)
+
+`-W byline` mode tells ngrep to respect embedded line feeds when they occur.
+You'll note from the output above that there is still a trailing dot (".") on
+each line, which is the carriage-return portion of the CRLF pair. Using this
+mode, now the output has become much easier to visually parse.
+
+## Processing PCAP dump files, looking for patterns
+
+I had a friend who worked at Network Solutions and among the things he did was
+analyze huge 500M+ PCAP dump files of DNS traffic, looking for patterns and
+anomalies. ngrep was an invaluable tool for this purpose; it allowed him to
+take one instance of a network dump and search it quickly and repeatedly for
+patterns in the data packets.
+
+To save a PCAP dump file from ngrep is very easy; simply run ngrep as you
+normally would but add one more command line option: `-O some.file.dump` (the
+name of the file is largely irrelevant). To illustrate another feature of
+ngrep, we will use the `-T` option (print time differential information).
+
+```
+# ngrep -O /tmp/dns.dump -d any -T port domain
+interface: any
+filter: ip and ( port domain )
+output: /tmp/dns.dump
+#
+U +0.000000 203.115.225.24:53 -> 64.90.164.74:53
+ .............m.razor2.cloudmark.com.......)........
+#
+U +0.000281 64.90.164.74:53 -> 203.115.225.24:53
+ .............m.razor2.cloudmark.com................'.ns1...hostmaster..ws..
+ ..p.... ..:.......)........
+#
+U +0.078184 195.113.155.7:2949 -> 64.90.164.74:53
+ .............a.razor2.cloudmark.com.....
+#
+U +0.000351 64.90.164.74:53 -> 195.113.155.7:2949
+ .............a.razor2.cloudmark.com..................agony...4..........B..
+ ..............ns1...............ns2...............ns3...X..........@Z.J.j..
+ ........@Z...|..........B..;
+^Cexit
+6 received, 0 dropped
+```
+
+Note the `output:` indicator and timestamp information. Now we have a PCAP dump
+file, and so let's search it for some patterns:
+
+```
+# ngrep -w 'm' -I /tmp/dns.dump
+input: /tmp/dns.dump
+match: ((^m\W)|(\Wm$)|(\Wm\W))
+#
+U 203.115.225.24:53 -> 64.90.164.74:53
+ .............m.razor2.cloudmark.com.......)........
+#
+U 64.90.164.74:53 -> 203.115.225.24:53
+ .............m.razor2.cloudmark.com................'.ns1...hostmaster..ws..
+ ..p.... ..:.......)........
+##exit
+```
+
+Above we searched for the letter "m", matched as a word (`-w`). This yields two
+packets.
+
+```
+# ngrep -tD ns3 -I /tmp/dns.dump
+input: /tmp/dns.dump
+match: ns3
+####
+U 2004/03/28 20:32:37.088525 64.90.164.74:53 -> 195.113.155.7:2949
+ .............a.razor2.cloudmark.com..................agony...4..........B..
+ ..............ns1...............ns2...............ns3...X..........@Z.J.j..
+ ........@Z...|..........B..;
+exit
+```
+
+Here we've added `-t` which means print the absolute timestamp on the packet,
+and `-D` which means replay the packets by the time interval at which they were
+recorded. The latter is a neat little feature for observing the traffic at the
+rates/times they originally seen, though in this example it's not terribly
+effective as there is only one packet being matched.
+
+```
+# ngrep -I /tmp/dns.dump port 80
+input: /tmp/dns.dump
+filter: ip and ( port 80 )
+exit
+```
+
+There's no port 80 traffic in the dump, so of course the BPF filter yields us no
+results.
+
+## Observing binary being transferred across the wire
+
+One interesting feature of ngrep is its ability to take a hexademical (binary)
+expression and search for that in lieu of a regular expression. ngrep can also
+display the packets it observes in a hexadecimal format, which is more effective
+for inspecting binary content patterns.
+
+In this example, we will simply look for a binary pattern in a web stream, but
+the more obvious usage is to look for a DDoS Zombie's unique binary signature
+(say, from a command packet), or even a Worm/Virus being transferred across the
+wire as it propogates itself.
+
+For this test, let's assume we have a GIF on a web server that has the data
+pattern "0xc5d5e5f55666768696a6b6c6d6e6" (hexademical) in it. Once `-X` is
+specified, the expression will be interpreted as a hexademical pattern instead
+of a regular expression, and the "0x" prefix is optional.
+
+To see a packet like this cross the wire:
+
+```
+# ngrep -xX '0xc5d5e5f55666768696a6b6c6d6e6' port 80
+interface: eth0 (64.90.164.72/255.255.255.252)
+filter: ip and ( port 80 )
+match: 0xc5d5e5f55666768696a6b6c6d6e6
+###
+T 64.90.164.74:80 -> 67.169.59.38:42306 [A]
+ ff d8 ff e0 00 10 4a 46 49 46 00 01 02 01 00 48 ......JFIF.....H
+ 00 48 00 00 ff ed 13 ba 50 68 6f 74 6f 73 68 6f .H......Photosho
+ 70 20 33 2e 30 00 38 42 49 4d 03 ed 00 00 00 00 p 3.0.8BIM......
+ 00 10 00 48 00 00 00 01 00 01 00 48 00 00 00 01 ...H.......H....
+ 00 01 38 42 49 4d 04 0d 00 00 00 00 00 04 00 00 ..8BIM..........
+ 00 78 38 42 49 4d 03 f3 00 00 00 00 00 08 00 00 .x8BIM..........
+ 00 00 00 00 00 00 38 42 49 4d 04 0a 00 00 00 00 ......8BIM......
+ 00 01 00 00 38 42 49 4d 27 10 00 00 00 00 00 0a ....8BIM'.......
+ 00 01 00 00 00 00 00 00 00 02 38 42 49 4d 03 f5 ..........8BIM..
+ 00 00 00 00 00 48 00 2f 66 66 00 01 00 6c 66 66 .....H./ff...lff
+ 00 06 00 00 00 00 00 01 00 2f 66 66 00 01 00 a1 ........./ff....
+ 99 9a 00 06 00 00 00 00 00 01 00 32 00 00 00 01 ...........2....
+ 00 5a 00 00 00 06 00 00 00 00 00 01 00 35 00 00 .Z...........5..
+ 00 01 00 2d 00 00 00 06 00 00 00 00 00 01 38 42 ...-..........8B
+ 49 4d 03 f8 00 00 00 00 00 70 00 00 ff ff ff ff IM.......p......
+ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
+ ff ff 03 e8 00 00 00 00 ff ff ff ff ff ff ff ff ................
+ ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 e8 ................
+ 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ................
+ ff ff ff ff ff ff ff ff ff ff 03 e8 00 00 00 00 ................
+ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
+ ff ff ff ff ff ff 03 e8 00 00 38 42 49 4d 04 08 ..........8BIM..
+ 00 00 00 00 00 10 00 00 00 01 00 00 02 40 00 00 .............@..
+ 02 40 00 00 00 00 38 42 49 4d 04 14 00 00 00 00 .@....8BIM......
+ 00 04 00 00 00 06 38 42 49 4d 04 0c 00 00 00 00 ......8BIM......
+ 12 2a 00 00 00 01 00 00 00 70 00 00 00 57 00 00 .*.......p...W..
+ 01 50 00 00 72 30 00 00 12 0e 00 18 00 01 ff d8 .P..r0..........
+ ff e0 00 10 4a 46 49 46 00 01 02 01 00 48 00 48 ....JFIF.....H.H
+ 00 00 ff fe 00 26 46 69 6c 65 20 77 72 69 74 74 .....&File writt
+ 65 6e 20 62 79 20 41 64 6f 62 65 20 50 68 6f 74 en by Adobe Phot
+ 6f 73 68 6f 70 a8 20 35 2e 30 ff ee 00 0e 41 64 oshop. 5.0....Ad
+ 6f 62 65 00 64 80 00 00 00 01 ff db 00 84 00 0c obe.d...........
+ 08 08 08 09 08 0c 09 09 0c 11 0b 0a 0b 11 15 0f ................
+ 0c 0c 0f 15 18 13 13 15 13 13 18 11 0c 0c 0c 0c ................
+ 0c 0c 11 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ................
+ 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 01 ................
+ 0d 0b 0b 0d 0e 0d 10 0e 0e 10 14 0e 0e 0e 14 14 ................
+ 0e 0e 0e 0e 14 11 0c 0c 0c 0c 0c 11 11 0c 0c 0c ................
+ 0c 0c 0c 11 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ................
+ 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ................
+ ff c0 00 11 08 00 57 00 70 03 01 22 00 02 11 01 ......W.p.."....
+ 03 11 01 ff dd 00 04 00 07 ff c4 01 3f 00 00 01 ............?...
+ 05 01 01 01 01 01 01 00 00 00 00 00 00 00 03 00 ................
+ 01 02 04 05 06 07 08 09 0a 0b 01 00 01 05 01 01 ................
+ 01 01 01 01 00 00 00 00 00 00 00 01 00 02 03 04 ................
+ 05 06 07 08 09 0a 0b 10 00 01 04 01 03 02 04 02 ................
+ 05 07 06 08 05 03 0c 33 01 00 02 11 03 04 21 12 .......3......!.
+ 31 05 41 51 61 13 22 71 81 32 06 14 91 a1 b1 42 1.AQa."q.2.....B
+ 23 24 15 52 c1 62 33 34 72 82 d1 43 07 25 92 53 #$.R.b34r..C.%.S
+ f0 e1 f1 63 73 35 16 a2 b2 83 26 44 93 54 64 45 ...cs5....&D.TdE
+ c2 a3 74 36 17 d2 55 e2 65 f2 b3 84 c3 d3 75 e3 ..t6..U.e.....u.
+ f3 46 27 94 a4 85 b4 95 c4 d4 e4 f4 a5 b5 c5 d5 .F'.............
+ e5 f5 56 66 76 86 96 a6 b6 c6 d6 e6 f6 37 47 57 ..Vfv........7GW
+ 67 77 87 97 a7 b7 c7 d7 e7 f7 11 00 02 02 01 02 gw..............
+ 04 04 03 04 05 06 07 07 06 05 35 01 00 02 11 03 ..........5.....
+ 21 31 12 04 41 51 61 71 22 13 05 32 81 91 14 a1 !1..AQaq"..2....
+ b1 42 23 c1 52 d1 f0 33 24 62 e1 72 82 92 43 53 .B#.R..3$b.r..CS
+ 15 63 73 34 f1 25 06 16 a2 b2 83 07 26 35 c2 d2 .cs4.%......&5..
+ 44 93 54 a3 17 64 45 55 36 74 65 e2 f2 b3 84 c3 D.T..dEU6te.....
+ d3 75 e3 f3 46 94 a4 85 b4 95 c4 d4 e4 f4 a5 b5 .u..F...........
+ c5 d5 e5 f5 56 66 76 86 96 a6 b6 c6 d6 e6 f6 27 ....Vfv........'
+ 37 47 57 67 77 87 97 a7 b7 c7 ff da 00 0c 03 01 7GWgw...........
+ 00 02 11 03 11 00 3f 00 f2 a5 3a ad 35 ba 40 0e ......?...:.5.@.
+ 04 16 90 78 20 a8 25 07 94 aa d3 19 18 90 41 a2 ...x .%.......A.
+ 13 9a 4b 9b b9 a0 91 c8 3d c8 ef a7 f2 14 46 35 ..K.....=.....F5
+ af fe 6c 6f f8 73 e3 3b 7e 92 6a ad 2c 30 75 64 ..lo.s.;~.j.,0ud
+ 82 47 fd f9 a7 f3 5c 8a ec d7 b5 e4 d2 4b 79 0d .G....\......Ky.
+ 73 a0 ba 3f f2 49 87 8b 61 4d 88 fd de 40 4a 66 s..?.I..aM...@Jf
+ 51 fd e8 c7 e6 ff 00 03 f4 5a ee 63 d8 76 bd a5 Q........Z.c.v..
+ a4 76 22 13 29 d9 75 b6 99 b1 ee 7c 71 b8 ca 82 .v".).u....|q...
+ 78 be ad 79 70 f1 1e 1b e1 e9 c5 f3 29 24 92 49 x..yp.......)$.I
+ 0a 49 24 92 52 92 45 c7 c4 bf 25 c5 b4 b7 76 d1 .I$.R.E...%...v.
+ 2e 3c 00 3f 94 ef a2 d5 6f 33 a3 64 e1 63 7a f9 .<.?....o3.d.cz.
+ 0f a9 85 c5 bb 29 f5 18 eb 1c 1c 1d b9 e2 ba 9c .....)..........
+ ff 00 63 36 fe 7a 69 c9 00 44 4c 87 11 da 3d 57 ..c6.zi..DL...=W
+ 8c 59 0c 4c c4 4f 08 fd 2e 8d 3a da e7 1d 8d 11 .Y.L.O....:.....
+ 22 75 47 ca fb 35 78 d5 d2 c2 1f 7c 87 58 f6 ea "uG..5x....|.X..
+ 06 91 e9 ef fc e4 1b 5f 4c 33 d1 05 a7 68 0f 27 ......._L3...h.'
+ b9 fc e8 42 4a ac 83 a8 ae 8c 9e e0 84 65 00 23 ...BJ........e.#
+ 23 21 5c 7f 37 0c 7e 6f 47 f5 9f ff d0 f2 ae ca #!\.7.~oG.......
+ 62 36 c1 3a 1f c0 84 cd 69 71 81 c9 47 a6 f6 e3 b6.:....iq..G...
+ 3f 75 41 af 78 e1 ef 12 27 fe 0d bf f9 24 f1 3e ?uA.x...'....$.>
+ 0d 40 e2 24 55 7f 15 f0 80 91 1c 52 e0 85 eb 2a .@.$U......R...*
+ e2 ff 00 16 3f a4 c2 fc 5c 8a 1a c7 da c2 c6 d9 ....?...\.......
+ f4 67 c9 05 5f ca ea 37 3c fa 77 1a b2 1b e2 01 .g.._..7<.w.....
+ 81 3d 83 bd 8a 2e a8 67 39 b5 e0 63 90 e6 34 9b .=.....g9..c..4.
+ 00 20 ff 00 68 f1 ec 67 ef a8 63 29 50 e3 00 5f . ..h..g..c)P.._
+ 51 f2 b3 f3 18 79 70 66 70 e5 26 30 e1 a8 65 1f Q....ypfp.&0..e.
+ ad 9c bf 4e 8e 3e 2c 5f f3 d8 62 f4 dc ac a6 ef ...N.>,_..b.....
+ a8 02 c0 40 73 8b 86 93 fb df 9c b6 3a 66 36 0d ...@s.......:f6.
+ 6c 73 18 45 b7 6a 2c de ls.E.j,.
+#########
+```
+
+Above we specified `-X` to tell ngrep to treat the match expression as
+hexadecimal, and `-x` to tell ngrep to print out the patterns it matches in
+hexadecimal form.
+
+As it turns out, several other packets also matched this pattern, but this
+should give you a good idea of how to use hexadecimal patterns and the hex
+output mode.
diff --git a/INSTALL b/INSTALL
@@ -0,0 +1,83 @@
+
+=================================================================
+NOTE: These instructions are from the 2006 release of ngrep 1.45.
+ They are sparse but will still give you the gist. Otherwise
+ try ngrep from your favorite package manager!
+=================================================================
+
+ngrep Installation Guide
+------------------------
+
+1. Install the latest Packet Capture Library
+
+In orer to compile ngrep on any platform, the relevant packet capture
+(PCAP) client support library must be installed.
+
+On UNIX, this is called ``libpcap'' and can be installed either from
+source or from a distribution's particular package management system.
+Some distributions separate the library itself from its development
+headers (i.e. libpcap-devel), so make sure to install both if this is
+the case.
+
+On Windows, the client support library is called ``WinPcap Developer's
+Pack'' and should be unpacked inside the parent directory of the ngrep
+source tree.
+
+The latest versions can be found at:
+
+ UNIX: http://tcpdump.org/release/
+ Win32: http://www.winpcap.org/
+
+
+2. Unpack the ngrep source
+
+Once the client packet capture client support library is installed,
+unpack the ngrep source to a directory.
+
+On Windows, this must be under the same parent directory as the
+WinPcap Developer's Pack.
+
+
+3. Compile the ngrep program
+
+On UNIX, type the following from the root of the ngrep source tree:
+
+ % ./configure && make
+
+On Windows, open the ``ngrep.sln'' file located in the ``win32''
+subdirectory of the ngrep source tree using Visual Studio.NET. From
+there you should be able to Build the solution in either Debug or
+Release mode. Once this is done, copy the resulting ``ngrep.exe''
+(located in either the ``Debug'' or ``Release'' subdirectory depending
+on compile configuration) into any directory in your path for easy
+usage (``c:\windows'', for instance).
+
+Please ignore the warnings associated with the GNU Regex library
+included in the ngrep source tree.
+
+
+4. Install the PCAP kernel driver
+
+ngrep is a PCAP-based program and therefore requires the PCAP kernel
+driver to be installed before it will function properly.
+
+The PCAP Driver is already integrated into the vast majority of UNIX
+and Linux kernels released within the last ~20 years.
+
+The Windows Platform, however, does not come with an integrated PCAP
+kernel driver by default, so it is necessary to install one before
+ngrep will work.
+
+
+Getting Help
+------------
+
+On UNIX, if you still have problems compiling or are compiling on an
+unsupported OS, try playing with other build types -- i.e. if you have
+a BSD derived system, try the BSD build type.
+
+If you still have problems, please submit an issue on GitHub or feel
+free to email me, however please try to help yourself first and search
+Google for possible answers before reaching out.
+
+Jordan Ritter <jpr5@darkridge.com>
diff --git a/LICENSE.txt b/LICENSE
diff --git a/README.md b/README.md
@@ -0,0 +1,83 @@
+## ngrep 1.47 (9.7.2017)
+
+ngrep is like GNU grep applied to the network layer. It's is a PCAP-based tool
+that allows you to specify an extended regular or hexadecimal expression to
+match against data payloads of packets. It understands many kinds of protocols,
+including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of
+interface types, and understands BPF filter logic in the same fashion as more
+common packet sniffing tools, such as tcpdump and snoop.
+
+
+## What's New
+
+ * Fix "no VLAN support for XXX"-related problems
+ * Fix truncated/garbled output (e.g. SIP over SLL/Linux cooked sockets)
+ * Change exit behavior to match BSD & GNU grep (see manpage)
+ * Add Solaris IPnet support
+ * Update to use 32bit values where relevant
+ * Emit frame # in header, useful for reference/analysis
+ * Emit total received, matched upon exit (dropped unreliable PCAP stats)
+ * Import debian patches related to autotools, manpage, and compilation
+ * on other platforms
+ * Fix build clean/distclean when not linked against provided GNU regex
+ * Fix build --enable/--disable flag processing
+ * Fix building under MS VS2012 / Win32
+ * Update to latest autotools (2017)
+
+
+## How to use
+
+ngrep was originally developed to:
+
+* debug plaintext protocol interactions such as HTTP, IMAP, DNS, SIP, etc.
+* identify and analyze anomalous network communications such as those between
+ malware, zombies and viruses
+* store, read and reprocess pcap dump files while looking for specific data
+ patterns
+
+As well, it could be used to do plaintext credential collection, as with HTTP
+Basic Authentication, FTP or POP3 authentication. Like all useful tools, it can
+be used for good and for bad.
+
+Visit [EXAMPLES](EXAMPLES.md) to learn more about how ngrep works and can be
+leveraged to see all sorts of neat things.
+
+
+## Support, Feedback, & Patches
+
+If you need help, have constructive feedback, or would like to submit a patch,
+please visit ngrep's project at GitHub and use the online tools there. It will
+help the author better manage the various requests and patches so that nothing
+is lost or missed (as has been the case in the past, unfortunately).
+
+* Issues: https://github.com/jpr5/ngrep/issues
+* Patches: https://github.com/jpr5/ngrep/pulls
+
+
+## Confirmed Working Platforms
+
+* Linux 2.0+ (RH6+, SuSE, TurboLinux, Debian, Gentoo, Ubuntu, Mandrake, Slackware)/x86, RedHat/alpha Cobalt, (Qube2) Linux/MIPS
+* Solaris 2.5.1, 2.6/SPARC, Solaris 7, Solaris 8/SPARC, Solaris 9/SPARC
+* FreeBSD 2.2.5, 3.1, 3.2, 3.4-RC, 3.4-RELEASE, 4.0, 5.0
+* OpenBSD 2.4 (after upgrading pcap from 0.2), 2.9, 3.0, 3.1+
+* NetBSD 1.5/SPARC
+* Digital Unix V4.0D (OSF/1), Tru64 5.0, Tru64 5.1A
+* HPUX 11
+* IRIX
+* AIX 4.3.3.0/PowerPC
+* BeOS R5
+* Mac OS X 10+
+* GNU HURD
+* Windows 95, 98, NT, 2000, XP, 2003/x86, 7, 8, 8.1, 10
+
+
+## Miscellany
+
+Please see [CREDITS](CREDITS) for a partial list of the many people who helped make ngrep
+what it is today. Also, please note that ngrep is released under a simple
+BSD-style license, though depending on which regex library you compile
+against, you'll either get the GPL (GNU regex) or Artistic (PCRE).
+
+ * Unix libpcap: http://www.tcpdump.org/release/
+ * Windows libpcap: http://www.winpcap.org/install/
+ * PCRE: http://www.pcre.org/
diff --git a/doc/CHANGES.txt b/doc/CHANGES.txt
@@ -1,296 +0,0 @@
-v1.47
- o Updates to fix building under MS VS2012 / Win32
-
- o Updates to use 32bit values where relevant
-
- o Fix to reduce searchable space when VLAN header present
-
- o Import debian patches related to autotools, manpage, and compilation
- on other platforms
-
- o Update to latest autotools
-
-v1.46.1
-
- o actual bugfix for the VLAN parsing issue. prior version 1.46 expanded
- the BPF filter to include IPv4/6 traffic, but the offset calculation
- forgot to account for the variable presence of VLAN headers. now
- ngrep detects VLAN frames in every packet and adjusts the offset on
- the fly.
-
-v1.46
-
- o configure.in: re-organized, in part to sync with downstream patches
- (which were never sent upstream)
-
- o configure.in: removed included PCRE library, now builds against system
- version when specified (default is included GNU Regex)
-
- o configure.in: fixed duplicate PCAP header check, which broke with the
- release of libpcap 1.0
-
- o configure.in: prefixed all tack-on autoconf variables from _FOO -> EXTRA_FOO
-
- o Makefile.in: capitulated to Debian: use tar.gz instead of tar.bz2 :-(
-
- o ngrep.c: Call setlocale to make isprint() work based on current
- locale. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307496++
-
- o include tcpkill functionality (-K), a long-standing downstream patch
- under Debian
-
- o updated to latest autoconf
-
- o updated copyrights to 2014
-
-v1.45
-
- o fixed bug where setting the snaplen smaller than the minimum
- necessary to read the full headres would cause garbage to be
- fed into the pattern matcher
-
- o fixed unreported bug in IPv6/TCP packet length calculation
-
- o relocated the privilege-dropping routine to be invoked right
- before entering the packet processing loop, to prevent
- interference with necessary permissions to read or write
- dumpfiles/etc.
-
- o fixed integer overflow with the snaplen that resulted from
- an implicit signed/unsigned conversion
-
- o minor change to compensate for some broken compiler
- optimizers
-
- o fixed double-free race condition during ngrep termination
-
- o reworked packet length calculation in the main processing
- loop, improving performance and readability
-
- o simplified regex build logic in configure and Makefile
-
- o updated Win32 version to use config.h for preprocessor
- definitions instead of the Visual Studio project files,
- making manual tweaking and config of ngrep for Win32
- consistent with *NIX and more obvious
-
- o changed third-party Makefiles to properly clean up after
- themselves
-
- o added support for radiotap (IEEE802_11_RADIO)
-
- o changed ``-s 0'' invocation to mimic the equivalent of tcpdump
-
-v1.44
- o added post-config section to configure: emit important
- config option settings that weren't previously indicated
-
- o for BSD platforms, only emit pcap_restart warning from
- configure if ``--disable-pcap-restart'' hasn't been
- specified
-
- o added IPv6 and ICMPv6 support (all platforms); disabled by
- default for common case where libpcap wasn't compiled with
- IPv6 support
-
- o added support for displaying protocol number (``-N''),
- useful for when observing raw packets
-
- o added support for new display method ``single'', similar to
- ``byline'' but both header and data occupy one single line
-
- o introduced multiple levels of quiet (``-q''); the more it is
- specified the more quiet ngrep becomes
-
- o reorganization of some internal support headers and core
- code to eliminate redundancy, improve readability and
- efficiency, and support new features
-
- o changed all integer types to be bit- and sign-explicit
-
-v1.43
- o healed the win32 code fork: ngrep now builds from the same
- source tree for all platforms including Windows
-
- o re-wrote the privilege revocation logic after problems were
- reported with the SPC version, and removed non-root
- drop_privs capability altogether
-
- o fix off-by-one bug which caused ngrep to exit 1 packet early
- when ``-A'' as invoked
-
- o Fixed problematic configtest for old broken-redhat-glibc UDP
- header
-
- o ngrep now sets a pcap filter "ip" by default, if one is not
- specified
-
- o header offset fix to 802.11 processing
-
- o support IGMP and Raw (unknown IP protocol) type packets
-
- o support for latest versions of libpcap (0.8.3) and winpcap
- (3.1 beta 4)
-
- o updated configure to autoconf 2.59, and config.guess and
- config.sub to latest versions
-
- o updated PCRE from 3.4 to 5.0
-
- o and various minor changes and updates to improve ngrep
-
-v1.42
- o rewrote the entire configure.in/config.h.in to autoconf 2.57
- to be more consistent with normal autoconf'd programs.
- corrects bugs around packaging impediments and typos
-
- o improved privilege dropping code and added more options to
- configure to govern its behaviour
-
- o added flag to turn off privilege revocation logic
-
- o added multiline match as default and ability to enforce
- previous default single-line match (bugfix + feature)
-
- o added ability to read bpf filter expression from file
-
- o added ability to force the column width to a certain size
-
- o added two new output modes: ``byline'', whose output
- respects embedded carriage returns (useful for http dumps),
- and ``none'', which prints out each dump as a single line no
- matter what
-
- o added ability to specify alternate nonprintable character
- (default is ``.'')
-
- o made ``-q'' effects more consistent and usable for scenarios
- where ``-I'' and/or ``-O'' are being employed
-
- o documentation updated
-
-v1.41
- o added -S (set limitlen)
- o added LOOP and SLL tests for portability/old libpcap'en
- o added configure --safe-user and dropprivs code
- o added TCP ECN congestion header recognition
- o improved support for a few OSes
- o relaxed some restrictions in the license (COPYRIGHT -> LICENSE)
- o 802.11 support
-
-v1.40.1
- o MacOS X support
- o ISDN (SLL) support
- o OpenBSD tun device support
- o updated configure.in to support specifying pcap directory
- o updated config.sub and config.guess
- o added scripts/multi.pl, parallel ngrep perl script
- o very minor change to documentation
-
-v1.40
- o license change, amends the BSD advertising clause
- o fixed bug from not considering caplen in payload length
- calculations
- o added -s (set bpf caplen)
- o fixed header include for linux glibc 2.2 (time.h wasn't
- being included)
-
-v1.39.2
- o typographical error, -p works now
-
-v1.39.1
- o added in AIX includes
- o added BSD* includes for display updates
- o added -p (don't go into promiscuous mode)
-
-v1.39
- o in standard match mode, the display now updates when window
- sizes change
- o configure now gives the user the option to compile with the
- pcre library, which is more license-friendly (albeit slower)
- o fixed minor bug in date printing with -t
- o added configure option '--without-restart', which will
- remove the pcap restart API call. Newer versions of libpcap
- don't need it, and on certain platforms the API call
- segfaults
- o win32: compiled with winpcap's pcap.h, which apparently
- breaks the pcap standard and introduces its own data link
- layer types. fixes the 'unsupported interface' error folks
- sometimes got when used with a 100bT adapter
-
-v1.38
- o binary matching
- o windows compilation support
- o 64-bit clean patch to regex.c
- o dump and replay pcap_dump files
- o officially licensed under the BSD license
- o normal and diff/delta timestamps
-
-v1.37
- o added FDDI support
-
-v1.36
- o added -l (line buffer stdout)
- o a few optimizations were made to shave off some cpu cycles
- spent on processing each packet
- o fixed bug where the blank regex algorithm wasn't even being
- used
- o fixed bug in blank regex algorithm that was preventing '-n'
- from working
- o change to compile on LinuxPPC
- o change to nix potential warnings on other OSes
- o change to not exit if pcap_lookupnet fails
-
-v1.35
- o appears that the release of 1.34 had only one of the
- match optimizations: somehow only the tcp match was updated;
- udp change was omitted. fixed
- o moved -v (version) to -V
- o added -v (grep -v), invert match
- o added -d lo (null linktype)
- o added ability to match proto icmp
- o updated configure.in to handle old installations of pcap
- more gracefully (i.e. continue on by adding the necessary
- defines and just gripe)
-
-v1.34
- o merged in patch from Andrew W. Flury <aflury@nas.nasa.gov>
- for hex printing, made minor modification to patch to not
- print off the end of the buffer
- o added an optimization for the case where no regex was
- specified; should account for a little speed up
-
-v1.33
- o fragment changes, this should be it
-
-v1.32
- o switched around regex -w/-i logic
- o fragment bugfixes
-
-v1.31
- o added -A (match after)
- o Makefile.in changes
- o configure.in changes for solaris
- o added manpage (ngrep.8)
-
-v1.30
-
- o bugfix: wasn't malloc'ing enough for word_regex
- o bugfix: case-insensitive was tolower()ing the word_regex
- itself
-
-v1.29
-
- o added -e (show empty)
- o one or two safe, preemptive changes catching possible int
- overflows
-
-v1.28
-
- o added -n
- o no required arguments anymore
- o regex's are not required anymore, can just be bpf logic
- o probably a bugfix or two
-
-
-
diff --git a/doc/INSTALL.txt b/doc/INSTALL.txt
@@ -1,85 +0,0 @@
-
-=================================================================
-NOTE: These instructions are from the 2006 release of ngrep 1.45.
- They are outdated but will still give you the gist.
-=================================================================
-
-ngrep Installation Guide
-------------------------
-
-1. Install the latest Packet Capture Library
-
-In orer to compile ngrep on any platform, the relevant packet capture
-(PCAP) client support library must be installed.
-
-On UNIX, this is called ``libpcap'' and can be installed either from
-source or from a distribution's particular package management system.
-Some distributions separate the library itself from its development
-headers (i.e. libpcap-devel), so make sure to install both if this is
-the case.
-
-On Windows, the client support library is called ``WinPcap Developer's
-Pack'' and should be unpacked inside the parent directory of the ngrep
-source tree.
-
-The latest versions (as of this writing) are located at:
-
- UNIX: http://tcpdump.org/release/libpcap-0.9.5.tar.gz
- Win32: http://www.winpcap.org/install/bin/wpdpack_3_1.zip
-
-
-2. Unpack the ngrep source
-
-Once the client packet capture client support library is installed,
-unpack the ngrep source to a directory.
-
-On Windows, this must be under the same parent directory as the
-WinPcap Developer's Pack.
-
-
-3. Compile the ngrep program
-
-On UNIX, type the following from the root of the ngrep source tree:
-
- % ./configure && make
-
-On Windows, open the ``ngrep.sln'' file located in the ``win32''
-subdirectory of the ngrep source tree using Visual Studio.NET. From
-there you should be able to Build the solution in either Debug or
-Release mode. Once this is done, copy the resulting ``ngrep.exe''
-(located in either the ``Debug'' or ``Release'' subdirectory depending
-on compile configuration) into any directory in your path for easy
-usage (``c:\windows'', for instance).
-
-Please ignore the warnings associated with the GNU Regex library
-included in the ngrep source tree.
-
-
-4. Install the PCAP kernel driver
-
-ngrep is a PCAP-based program and therefore requires the PCAP kernel
-driver to be installed before it will function properly.
-
-The PCAP Driver is already integrated into the vast majority of UNIX
-and Linux kernels released within the last ~10 years.
-
-The Windows Platform, however, does not come with an integrated PCAP
-kernel driver by default, so it is necessary to install one before
-ngrep will work. The latest version (as of this writing) is located
-at:
-
- http://www.winpcap.org/install/bin/WinPcap_3_1.exe
-
-
-Getting Help
-------------
-
-On UNIX, if you still have problems compiling or are compiling on an
-unsupported OS, try playing with other build types -- i.e. if you have
-a BSD derived system, try the BSD build type.
-
-Please email me for help if you if you still have problems, however
-please try to help yourself first and search Google for possible
-answers before contacting me.
-
-Jordan Ritter <jpr5@darkridge.com>
diff --git a/doc/README.txt b/doc/README.txt
@@ -1,154 +0,0 @@
-Program: ngrep
-Author: Jordan Ritter <jpr5@darkridge.com>
-Version: 1.47 (9.6.2017)
-
-
-Goal:
-
- A program that mimicks as much functionality in GNU grep as possible, applied
- at the network layer.
-
-
-Description:
-
- ngrep strives to provide most of GNU grep's common features, applying them to
- the network layer. ngrep is a pcap-aware tool that will allow you to specify
- extended regular or hexadecimal expressions to match against data payloads of
- packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw
- across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and
- understands BPF filter logic in the same fashion as more common packet
- sniffing tools, such as tcpdump and snoop.
-
-
-usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
- <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
- <-P char> <-F file>
- <match expression> <bpf filter>
-
-usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
- <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
- <-P char> <-F file>
- <match expression> <bpf filter>
- -h is help/usage
- -V is version information
- -q is be quiet (don't print packet reception hash marks)
- -e is show empty packets
- -i is ignore case
- -v is invert match
- -R is don't do privilege revocation logic
- -x is print in alternate hexdump format
- -X is interpret match expression as hexadecimal
- -w is word-regex (expression must match as a word)
- -p is don't go into promiscuous mode
- -l is make stdout line buffered
- -D is replay pcap_dumps with their recorded time intervals
- -t is print timestamp every time a packet is matched
- -T is print delta timestamp every time a packet is matched
- specify twice for delta from first match
- -M is don't do multi-line match (do single-line match instead)
- -I is read packet stream from pcap format file pcap_dump
- -O is dump matched packets in pcap format to pcap_dump
- -n is look at only num packets
- -A is dump num packets after a match
- -s is set the bpf caplen
- -S is set the limitlen on matched packets
- -W is set the dump format (normal, byline, single, none)
- -c is force the column width to the specified size
- -P is set the non-printable display char to what is specified
- -F is read the bpf filter from the specified file
- -N is show sub protocol number
-
-On UNIX:
- -d is use specified device instead of the pcap default
-
-On Win32:
- -d is use specified device (index) instead of the pcap default
- -L is show the winpcap device list index
-
-
-Tips:
-
- o When the intention is to match all packets (i.e. blank regex), it is
- technically faster to use an empty regex (``'') than to use ``.*'' or ``*''.
-
- o When sniffing interfaces that are very busy or are seeing large amounts of
- packet traffic, make sure to craft a BPF filter to limit what PCAP has to
- deliver to ngrep. The ngrep parser takes a certain amount of time and while
- negligible on a slow interface, it can add up very quickly on a busy one.
-
- o Hexadecimal expressions can be in straight numeric form, 'DEADBEEF', or in
- symbolic form, '0xDEADBEEF'. A byte is the smallest unit of measure you can
- match against.
-
- o As of v1.28, ngrep doesn't require a match expression. However, there are
- cases where ngrep can be confused and think part of your bpf filter is the
- match expression, as in:
-
- % ngrep not port 80
- interface: eth0 (192.168.1.0/255.255.255.0)
- filter: ip and ( port 80 )
- match: not
-
- In cases like this, you will need to specify a blank match expression:
-
- % ngrep '' not port 80
- interface: eth0 (192.168.1.0/255.255.255.0)
- filter: ip and ( not port 80 )
-
-
- Please see http://ngrep.sf.net/usage.html for more detailed examples
- describing ngrep usage.
-
-
-Miscellany:
-
- Please see the ``doc/CREDITS.txt'' file for a listing of the people who helped
- make ngrep what it is today. Also, please note that ngrep is released under a
- BSD-style license, though it currently relies upon the GNU regex library,
- which is protected under the GPL.
-
- Also, it is _highly recommended_ that you upgrade to the latest version of
- libpcap. All versions 0.5 and more recent fix really annoying and in some
- cases fatal problems with the packet capture library. If you happen to be
- using Windows, please check the WinPcap site to see if there are any updates.
-
-
-Useful sites:
-
- o Unix libpcap:
-
- http://www.tcpdump.org/release/
-
- o Windows libpcap:
-
- http://www.winpcap.org/install/
-
-
-Known Working Platforms:
-
- o Linux 2.0+
- (RH6+, SuSE, TurboLinux, Debian, Gentoo, Ubuntu, Mandrake, Slackware)/x86
- RedHat/alpha
- Cobalt (Qube2) Linux/MIPS
- o Solaris 2.5.1, 2.6/SPARC, Solaris 7, Solaris 8/SPARC, Solaris 9/SPARC
- o FreeBSD 2.2.5, 3.1, 3.2, 3.4-RC, 3.4-RELEASE, 4.0, 5.0
- o OpenBSD 2.4 (after upgrading pcap from 0.2), 2.9, 3.0, 3.1
- o NetBSD 1.5/SPARC
- o Digital Unix V4.0D (OSF/1), Tru64 5.0, Tru64 5.1A
- o HPUX 11
- o IRIX
- o AIX 4.3.3.0/PowerPC
- o BeOS R5
- o Mac OS X 10+
-
- 1.45 is known to work on: Windows 95, 98, NT, 2000, XP, 2003/x86, 7
- 1.46.1 has been tested on: Windows 7, 8, 8.1
-
-Support, Feedback, & Patches
-
- If you need help, have constructive feedback, or would like to submit a patch,
- please visit ngrep's project at GitHub and use the online tools there. It
- will help the author better manage the various requests and patches so that
- nothing is lost or missed (as has been the case in the past, unfortunately).
-
- ngrep Issues: https://github.com/jpr5/ngrep/issues