Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

FLOWGREP(8)		  BSD System Manager's Manual		   FLOWGREP(8)

NAME
     flowgrep — TCP stream/UDP/IP payload 'grep' utility

SYNOPSIS
     flowgrep [-ikVvx] [-a pattern] [-c pattern] [-D num] [-d device]
	      [-E name] [-e string] [-F pattern_file] [-f pattern_file]
	      [-l dir] [-r filename] [-s pattern] [-u username] [filter]

DESCRIPTION
     flowgrep is a small tool to look for arbitrary payload content in TCP
     streams or UDP packets. This search parameter is described as a regular
     expression using the format described in re_format(7).  The -s flag indi‐
     cates that the pattern should be looked for only in the server's data
     stream (sent from the server to the client). These patterns can also be
     loaded from the pattern_file specified using the -F flag, with each pat‐
     tern separated by a newline. Newlines are not considered part of a pat‐
     tern. The -c flag indicates that the pattern should only match data sent
     by the client to the server. These patterns can also be loaded from the
     pattern_file specified using the -f flag, with each line containing one
     pattern to match. These newlines are not considered part of the pattern.
     The -a flag indicates any matching stream should be matched. For UDP and
     IP payloads these three flags are equivilent. Multiple expressions can be
     searched for by successive calls to the appropriate -a, -c or -s flag.

     An optional pcap(3) filter can be specified to limit what data to moni‐
     tor. TCP, UDP, and IP connections are evaluated. Fragments are reassem‐
     bled according to their parent connection.

     flowgrep drops privileges after initialization and runs as the user spec‐
     ified using the -u flag or the user 'nobody' by default.

     If -v is specified, the match is inverted and non-matching flows are
     logged or killed. The -i flag specifies a case insensitive search.

     Packets are captured on the first appropriate device unless the -d flag
     is specified, in which case device is used to capture packets. The input
     can also be a filename if -r is used. The filename must be in pcap(3)
     format.

     If the -k option is used, the matching TCP connection will be killed by
     flowgrep.	This is done by sending TCP RST packets to the two partici‐
     pants. TCP connections can be both stored and killed.

     If the -l option is given, matched flows will be logged relative to the
     dir argument. Matched flows or packets are stored in files as the com‐
     plete payload or reassembled TCP stream payload. The filename is based on
     the stream data and is logged as 'time-source-sport-dest-dport-proto',
     with time as a 32 bit integer for seconds since the UNIX epoch. For pro‐
     tocols other than TCP or UDP, the protocol is listed as 'protoN' where
     'N' is the protocol number. See protocols(5) for more information about
     these numbers and name. If the -x argument is given, these filenames will
     be written to stdout(4) in a format suitable for use with xargs(1) (ie
     for processing the flows). Flows are written out to the filesystem upon
     the connection closure.

     flowgrep can also use libdistance(3) for fuzzy string matching. Several
     algorithms are supported, including the Levenshtein algorithm, Damerau
     method, Hamming distance and the Jaccard distance. One or more strings
     may be given using the -e flag. If the distance calculated using the
     algorithms is below the value specified by -D a match has occured. Note
     that this approach is slow and not well tested at this time.

     The -V flag causes flowgrep to print the version information and exit.

EXAMPLES
     To capture all mail traffic over SMTP and log it relative to the local
     directory:

	   flowgrep -i -c "^ *mail +from" -l . tcp port 25

     To capture all non-mail traffic on TCP port 25 and log it into the direc‐
     tory suspicious:

	   flowgrep -i -a "^ *mail +from" -v -l suspicious tcp port 25

     To turn flowgrep into a simple TCP flow recorder:

	   flowgrep -a "." -l flow tcp

     To kill Blaster worm infection attempts:

	   flowgrep -i -c "^ *tftp -i \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} GET
	   msblast.exe" -k tcp port 4444

     To stop successful web surfing on your segment:

	   flowgrep -s "HTTP/1.1 200 OK" -k tcp port 80

     To detect and stop SSH usage on non-SSH ports:

	   flowgrep -i -a "ssh-" -k tcp not port 22

     To detect non-HTTP use of port 80:

	   flowgrep -i -c "^GET *.+HTTP/1.[01]" -c "^POST *.+HTTP/1.[01]"  -c
	   "^PUT *.+HTTP/1.[01]" -l suspicious -v tcp port 80

     Detect Viagra spam on TCP port 25:

	   flowgrep -E levenshtein -D 5 -e Viagra -l spammers tcp port 25

SEE ALSO
     pcap(3), libdistance(3), re_format(7), tcpkill(8), ngrep(8), tcpflow(8)

AUTHOR
     Jose Nazario (jose@monkey.org)

BUGS
     Using flowgrep as a IPS to enforce policies against tunnelling (ie using
     TCP port 80 for SSH access) can be easily fooled if the tunnel wrapper
     adds basic protocol headers to the connections. Use flowgrep for this
     purpose with caution.

BSD			       13 December, 2004			   BSD

Vote for polarhome