|Stable release||1.45 / November 28, 2006|
|Operating system||Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X, additional *NIX systems, Windows|
ngrep support Berkeley Packet Filter (BPF) logic to select network sources or destinations or protocols, and also allow to match patterns or regular expressions in the data payload of packets using GNU grep syntax, showing packet data in a human-friendly way.
ngrep is an open source application, and the source code is available to download from the ngrep site at SourceForge. It can be compiled and ported to multiple platforms, it works in many UNIX-like operating systems: Linux, Solaris, BSD, AIX, and also works on Microsoft Windows.
ngrep is similar to tcpdump, but it has the ability to look for a regular expression in the payload of the packet, and show the matching packets on a screen or console. It allows users to see all unencrypted traffic being passed over the network, by putting the network interface into promiscuous mode.
ngrep with an appropriate BPF filter syntax, can be used to debug plain text protocols interactions like HTTP, SMTP, FTP, DNS, among others, or to search for a specific string or pattern, using a grep regular expression syntax.
Typical use of ngrep.
# Capture and show network traffic incoming to eth0 interface and # show parameters following HTTP GET or POST methods ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
# Capture and show network traffic incoming to eth0 interface and # show the HTTP User-Agent string ngrep -l -q -d eth0 "User-Agent: " tcp and port 80
# Capture and show network traffic incoming to eth0 interface and # show the DNS querys and responses ngrep -l -q -d eth0 "" udp and port 53
Capturing raw network traffic from an interface requires special privileges or superuser privileges on some platforms, especially on Unix-like systems. ngrep default behavior is to drop privileges in those platforms, running under a specific unprivileged user.
Like tcpdump, it is also possible to use ngrep for the specific purpose of intercepting and displaying the communications of another user or computer, or an entire network.
A privileged user running ngrep in a server or workstation connected to a device configured with port mirroring on a switch, router, or gateway, or connected to any other device used for network traffic capture on a LAN, MAN, or WAN, can watch all unencrypted information related to login ID's, passwords, or URLs and content of websites being viewed in that network.
- Linux: Operating system running the linux kernel
- Solaris: Unix operating system developed by Sun Microsystems
- BSD: Unix operating system family (FreeBSD, NetBSD, OpenBSD)
- Mac OS X: Unix operating system developed by Apple Inc.
- AIX, Unix operating system developed by IBM
- Windows, Operating system developed by Microsoft
- IPv4 and IPv6, Internet Protocol version 4 and version 6
- TCP, Transmission Control Protocol
- UDP, User Datagram Protocol
- ICMPv4 and ICMPv6, Internet Control Message Protocol version 4 and version 6
- IGMP, Internet Group Management Protocol
- Ethernet, IEEE 802.3
- PPP, Point to Point Protocol
- SLIP, Serial Line Internet Protocol
- FDDI, Fiber Data Distribution Protocol
- Token Ring, IEEE 802.5
- tcpdump, a packet analyzer
- pcap, an application programming interface (API) for capturing network traffic
- snoop, a command line packet analyzer included with Solaris
- wireshark, a network packet analyzer
- dsniff, a packet sniffer and set of traffic analysis tools
- netsniff-ng, a free Linux networking toolkit
- flowgrep, a tool for filtering packet streams
- LICENSE.txt file in the tarball
- Jordan Ritter at CrunchBase
- ngrep supported platforms
- ngrep and regular expressions
- ngrep usage
- Network monitoring with ngrep