ngrep

Capture traffic of all interfaces

$ ngrep -d any

$ ngrep -d [eth0]

$ ngrep -d [eth0] port [22]

$ ngrep host [www.example.com]

$ ngrep -d [eth0] '[User-Agent:]'

ngrep [options] <match expression> [ <bpf filter> ]
ngrep -h
ngrep -V

-h
    Display help message.

-V
    Display version information.

-v
    Invert the match; select non-matching packets.

-i
    Ignore case for the regular expression match.

-q
    Quiet mode; suppress output except for matching packets.

-x
    Hex dump matched packets.

-X
    Hex dump the entire packet.

-w
    Match the expression as a whole word.

-p
    Do not put the interface into promiscuous mode.

-l
    Make stdout line buffered.

-R
    Do not attempt to match reply packets.

-d
    Listen on the specified network interface.

-A
    Dump N bytes of packet payload after a match.

-W
    Dump N bytes of packet payload before a match.

-t
    Add a timestamp to the output.

-D
    Show timestamps in delta mode (relative to previous packet).

-S
    Limit the number of packets to process.

-s
    Set the snaplen (packet capture length).

-P
    Read BPF filter from the specified file.

-f
    Read regex pattern from the specified file.

-n
    Do not convert addresses to names (e.g., IPs to hostnames).

-u
    Do not convert port numbers to service names (e.g., 80 to http).

-k
    Use key_file to decrypt SSL/TLS traffic.

-N
    Only match against the first N bytes of the payload.

-O
    Dump matched packets to a pcap file.

-L
    Limit the number of packets dumped to the pcap file.

-F
    Do not print leading newlines in output.

-T
    Print relative timestamps from the start of capture.

-r
    Read packets from a pcap file instead of a live interface.

ngrep is a powerful command-line utility designed for network traffic analysis, akin to applying the text-searching capabilities of grep to live or recorded network data. It allows users to match regular expressions against network packets, including their headers and payloads, in real-time from a network interface or from pcap capture files. Supporting various protocols like TCP, UDP, and ICMP, ngrep is invaluable for network troubleshooting, security auditing, and debugging applications. Its ability to combine robust regular expression matching with efficient Berkeley Packet Filter (BPF) rules provides a flexible and precise way to pinpoint specific data, detect anomalies, or observe communication patterns within complex network environments. This makes it an essential tool for administrators and security professionals alike.

ngrep typically requires root privileges for capturing packets on most systems.
SSL/TLS decryption features are limited; they primarily support RSA key exchange and require the correct private key, and may not work with all modern ciphers or protocols.
On high-traffic networks, ngrep can consume significant system resources and potentially drop packets if not used with appropriate BPF filters or on a powerful enough machine.

ngrep utilizes extended regular expressions (ERE) for its pattern matching capabilities. This allows for complex and flexible pattern definitions, enabling users to pinpoint specific data sequences within the network traffic payload.

To enhance performance and reduce the amount of data processed, ngrep supports Berkeley Packet Filter (BPF) syntax. BPF filters are applied at the kernel level, efficiently discarding unwanted packets before they are passed to ngrep for regular expression matching. This is crucial for analyzing traffic on busy networks.

ngrep was created by Jordan Ritter and first released in 1999. It was developed to provide a command-line utility that brought the familiar text-searching power of grep to network packet analysis, building upon the foundational libpcap library for packet capture. Its ongoing development has focused on enhancing its utility for real-time network monitoring and security analysis.

grep(1), tcpdump(1), tshark(1), ss(8), netstat(8)