ngrep – Handy packet matching and display tool

ngrep is a command-line tool that allows users to perform packet matching and display on a network traffic. It is a combination of grep and tcpdump commands, which makes it a powerful tool for network administrators. By using ngrep, users can filter network traffic based on regular expressions and display the matched packets in real-time.


To use ngrep, users must have superuser privileges. The basic syntax of ngrep is as follows:

ngrep [options] <pattern> [<filter expression>]
  • <pattern>: This is a regular expression pattern that ngrep uses to match packets.
  • <filter expression>: This is an optional filter expression that can be used to filter packets based on protocol, port, source, or destination IP address.

Here is an example of how to use ngrep to display all packets containing the word “password” on port 80:

sudo ngrep password port 80

In this example, sudo is used to run ngrep with superuser privileges. password is the pattern that ngrep will match, and port 80 is the filter expression that limits the search to packets on port 80.

Another example is to use ngrep to display all packets containing the word “login” on all ports:

sudo ngrep login

In this example, sudo is used to run ngrep with superuser privileges. login is the pattern that ngrep will match. Since there is no filter expression, ngrep will search for packets on all ports.


Here is a table of available options for ngrep:

Option Description
-a Display ASCII packets
-A Display ASCII packets with hex/ASCII dump
-c Display a count of matched packets
-d Specify the network interface to listen on
-F Read the filter expression from a file
-i Ignore case when matching packets
-l Make ngrep run in line-buffered mode
-n Do not resolve IP addresses to hostnames
-O Save matched packets to a file
-p Do not put the network interface into promiscuous mode
-q Quiet mode; do not display packet headers
-r Read packets from a file
-S Print absolute sequence numbers
-t Display packet timestamps
-T Output in a specified format (e.g. -T json)
-v Invert the sense of matching

Troubleshooting tips

  • If ngrep is not displaying any packets, try running it with superuser privileges using sudo.
  • If ngrep is not matching packets, check the regular expression pattern to ensure it is correct.
  • If ngrep is not filtering packets correctly, check the filter expression to ensure it is correct.


  • ngrep is a powerful tool that can be used for network troubleshooting, security analysis, and debugging.
  • Since ngrep is a command-line tool, it is suitable for use in shell scripts and automation.
  • ngrep can be used in conjunction with other tools such as awk and sed to perform more complex packet analysis and manipulation.