The *nix utility program
ngrep allows you to search and filter network packets. Much like the well-known
grep tool enables users to search text located in files and
ngrep performs similar tasks against the operating system's networking interface. In the words of its manpages,
currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDD and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump(8) and snoop(1)
ngrep a regular expression, and optionally a protocol, interface, and bpf filter, and you can print live networking packets to
stdout, redirect (
>) the contents to a file, or pipe (
|) to another utility. Here's some examples:
ngrep is intended to be used alongside your standard *nix command-line tooling. Thus, most package repositories are sufficiently up-to-date.
On MacOS, use homebrew:
brew install ngrep
On Debian based systems (eg, Ubuntu), use aptitude:
apt-get install ngrep
On CentOS, use yum:
yum install ngrep
This command will query all interfaces and protocols for a string match of
-q flag will 'quiet' the output by printing only packet headers and relevant payloads. Most of the time, it is best to use 'quiet' output; otherwise, you might as well use
tcpdump to capture everything. I will use
-q in all the examples below so nobody cuts-and-pastes from this article and gets flooded with too much data.
t flag to print a timestamp along with the matched information. Use
T to print the time elapsed between successive matches.
Reading from pcap
ngrep -I network_capture.pcap -qt 'HTTP'
If you have a network capture file in
.pcap format, use
-I $FILE to filter the capture instead of a network interface. This can be handy, for example, if you have a record of a networking event and you need to do a quick analysis without all the bells and whistles of
Writing to pcap
ngrep -O network_capture.pcap -q 'HTTP'
Reverse of the above command, using only the
-O flag will filter against a network interface and copy the matched packets into a capture file in
Reading with byline
Linefeeds are printed as linefeeds, making the output pretty and more legible.
Common bpf filters
A bpf specifies a rich syntax for filtering network packets based on information such as IP address, IP protocol, and port number.
ngrep -q 'HTTP' 'host 192.168' matches all headers containing the string
'HTTP' sent to or from the ip address starting with
ngrep -q 'HTTP' 'dst host 192.168' will do as above, but instead match a destination host
ngrep -q 'HTTP' 'src host 192.168' will do as above, but instead match a source host
ngrep -q 'HTTP' 'tcp'
ngrep -q 'HTTP' 'udp'
ngrep -q 'HTTP' 'icmp'
ngrep -q 'HTTP' 'port 80'
Pretty cool! There are many primitives available, but I only really need to use these three. You can combine primitives using boolean connectives
not to really specify what your grepping.
ngrep is a pretty handy utility allowing search on network interfaces or captures. Anyone familiar with
wireshark will find it very valuable for quick network analyses.