Tag Archives: unix

Using ngrep

Leave a reply

From the man page, “ngrep  strives  to provide most of GNU grep’s common features, applying them to the network layer.  ngrep is a pcap-aware tool that will allow you  to specify extended regular expressions to match against data pay?loads of packets.  It currently recognizes TCP,  UDP  and  ICMP  across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common  packet  sniffing  tools, such as tcpdump(8) and snoop(1).”

Perhaps the most significant difference between ngrep and tcpdump is that ngrep can analyze packet payloads whereas tcpdump only looks at packet headers and such.

ngrep is incredibly powerful and useful in finding out what’s happening on your network. The best way to show you want ngrep can do and how it’s done is by example. See some below.

Watching all traffic on the default interface:

ngrep -itq -W byline

Watching all traffic on eth1:

ngrep -d eth1 -itq -W byline

Watching all traffic on the default interface while searching for the string “testing”.

ngrep -itq -W byline testing

Watching all traffic on the default interface originating from 192.168.1.1:

ngrep -itq -W byline src 192.168.1.1

Watching all traffic on the default interface destined for 192.168.1.2:

ngrep -itq -W byline dst 192.168.1.2

Watching all traffic on the default interface with the gateway of 192.168.1.100

ngrep -itq -W byline gateway 192.168.1.100

See more examples at http://ngrep.sourceforge.net/usage.html

Also check the man page for many more neat possibilities.