ngrep is a command-line tool that allows users to perform packet matching and display on a network traffic. It is a combination of grep and tcpdump commands, which makes it a powerful tool for network administrators. By using ngrep, users can filter network traffic based on regular expressions and display the matched packets in real-time.
Overview
To use ngrep, users must have superuser privileges. The basic syntax of ngrep is as follows:
ngrep [options] <pattern> [<filter expression>]
<pattern>: This is a regular expression pattern thatngrepuses to match packets.<filter expression>: This is an optional filter expression that can be used to filter packets based on protocol, port, source, or destination IP address.
Here is an example of how to use ngrep to display all packets containing the word “password” on port 80:
sudo ngrep password port 80
In this example, sudo is used to run ngrep with superuser privileges. password is the pattern that ngrep will match, and port 80 is the filter expression that limits the search to packets on port 80.
Another example is to use ngrep to display all packets containing the word “login” on all ports:
sudo ngrep login
In this example, sudo is used to run ngrep with superuser privileges. login is the pattern that ngrep will match. Since there is no filter expression, ngrep will search for packets on all ports.
Options
Here is a table of available options for ngrep:
| Option | Description |
|---|---|
| -a | Display ASCII packets |
| -A | Display ASCII packets with hex/ASCII dump |
| -c | Display a count of matched packets |
| -d | Specify the network interface to listen on |
| -F | Read the filter expression from a file |
| -i | Ignore case when matching packets |
| -l | Make ngrep run in line-buffered mode |
| -n | Do not resolve IP addresses to hostnames |
| -O | Save matched packets to a file |
| -p | Do not put the network interface into promiscuous mode |
| -q | Quiet mode; do not display packet headers |
| -r | Read packets from a file |
| -S | Print absolute sequence numbers |
| -t | Display packet timestamps |
| -T | Output in a specified format (e.g. -T json) |
| -v | Invert the sense of matching |
Troubleshooting tips
- If
ngrepis not displaying any packets, try running it with superuser privileges usingsudo. - If
ngrepis not matching packets, check the regular expression pattern to ensure it is correct. - If
ngrepis not filtering packets correctly, check the filter expression to ensure it is correct.
Notes
ngrepis a powerful tool that can be used for network troubleshooting, security analysis, and debugging.- Since
ngrepis a command-line tool, it is suitable for use in shell scripts and automation. ngrepcan be used in conjunction with other tools such asawkandsedto perform more complex packet analysis and manipulation.