From the man page, “ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data pay?loads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump(8) and snoop(1).”
Perhaps the most significant difference between ngrep and tcpdump is that ngrep can analyze packet payloads whereas tcpdump only looks at packet headers and such.
ngrep is incredibly powerful and useful in finding out what’s happening on your network. The best way to show you want ngrep can do and how it’s done is by example. See some below.
Watching all traffic on the default interface:
Watching all traffic on eth1:
Watching all traffic on the default interface while searching for the string “testing”.
Watching all traffic on the default interface originating from 192.168.1.1:
Watching all traffic on the default interface destined for 192.168.1.2:
Watching all traffic on the default interface with the gateway of 192.168.1.100