jump to navigation

ngrep — searching network packets like Unix grep March 5, 2011

Posted by Tournas Dimitrios in Linux admin tools.

ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It  currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop .For a network administrator familiar with pattern matching with grep, ngrep requires a minimum of training .

On RedHat based distributions this utility can be installed through the yum installer , if rpmforge is on the repository list .

Command-Line Switches for ngrep

Switch Description
-h Shows an extensive list of command line options
-e Shows empty packets
-n [num] Matches num packets and then exits
-i [expression] Searches for the regular expression without regard to case
-v [expression] Searches for packets not containing the regular expression
-t Prints a YYYY/MM/DD HH:MM:SS.UUUUUU timestamp on each matched packet
-T Displays a +S.UUUUUU timestamp on each matched packet
-x Shows the packets in the alternate hex and ASCII style
-I [filename] Reads from a pcap-style dump named filename instead of live traffic
-O filename Writes output to a pcap-style file named filename
-D Mimics real time by printing matched packets at their recorded timestamp

Practical examples

  • This command will watch Telnet traffic through port 23 for the word “login” case-insensitively and timestamp it in the YYYY/MM/DD HH:MM:SS.UUUUUU format. -q ensures nothing else is printed.
    # ngrep -q -t -wi “login” port 23
  • Timestamp all traffic on port 53 (DNS) on all devices (if the box has multiple devices) and send the output to a pcap file specified by the -O switch:
    # ngrep -O ~/log/traffic.pcap -d any -T port 53
  • Monitor current email transactions and print the addresses:
    # ngrep -i ‘rcpt to|mail from’ tcp port smtp
  • Pipes (|) delimit each key word, one of which is specified with a wildcard. -i makes the search case-insensitive and -W in the byline mode produces a cleaner report which is sent to a file
    # ngrep -i ‘erotic*|naked|porn’ -W byline > aduld-surf.txt
  • The -I switch  instructs ngrep to match the specified pattern on a file rather than on live traffic. To look for all domains except those ending with ” .net” . The -v switch inverts the specified pattern, so we get every domain except ” ” .net ” , printed with timestamps because of the -t switch.
    # ngrep -tv ‘*.net’ -I ~/logs/dump-file
  • Let ‘s grab the password and username of all ftp sessions
    #ngrep  -i -q ‘pass|user’  port 21
  • Capture network traffic incoming to eth0 interface and show parameters following HTTP GET or POST methods
    #ngrep -n -d eth0 “GET |POST ” tcp and port 80
  • As you see the possibilities are endless read the man pages and regular expressions

Links :



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s