ngrep — searching network packets like Unix grep March 5, 2011Posted by Tournas Dimitrios in Linux admin tools.
ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop .For a network administrator familiar with pattern matching with grep, ngrep requires a minimum of training .
On RedHat based distributions this utility can be installed through the yum installer , if rpmforge is on the repository list .
Command-Line Switches for ngrep
|-h||Shows an extensive list of command line options|
|-e||Shows empty packets|
|-n [num]||Matches num packets and then exits|
|-i [expression]||Searches for the regular expression without regard to case|
|-v [expression]||Searches for packets not containing the regular expression|
|-t||Prints a YYYY/MM/DD HH:MM:SS.UUUUUU timestamp on each matched packet|
|-T||Displays a +S.UUUUUU timestamp on each matched packet|
|-x||Shows the packets in the alternate hex and ASCII style|
|-I [filename]||Reads from a pcap-style dump named filename instead of live traffic|
|-O filename||Writes output to a pcap-style file named filename|
|-D||Mimics real time by printing matched packets at their recorded timestamp|