ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.



 ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
             <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
             <-P char> <-F file> <match expression> <bpf filter>


   -h  is help/usage ngrep 
   -V  is version information ngrep 
   -q  is be quiet (don't print packet reception hash marks)
   -e  is show empty packets
   -i  is ignore case
   -v  is invert match
   -R  is don't do privilege revocation logic
   -x  is print in alternate hexdump format
   -X  is interpret match expression as hexadecimal
   -w  is word-regex (expression must match as a word)
   -p  is don't go into promiscuous mode
   -l  is make stdout line buffered
   -D  is replay pcap_dumps with their recorded time intervals
   -t  is print timestamp every time a packet is matched
   -T  is print delta timestamp every time a packet is matched
   -M  is don't do multi-line match (do single-line match instead)
   -I  is read packet stream from pcap format file pcap_dump
   -O  is dump matched packets in pcap format to pcap_dump
   -n  is look at only num packets
   -A  is dump num packets after a match
   -s  is set the bpf caplen
   -S  is set the limitlen on matched packets
   -W  is set the dump format (normal, byline, single, none)
   -c  is force the column width to the specified size
   -P  is set the non-printable display char to what is specified ngrep 
   -F  is read the bpf filter from the specified file
   -N  is show sub protocol number
   -d  is use specified device instead of the pcap default
   -K  is kill matching TCP connections


cyborg@cyborg:~$ sudo ngrep -d any port 80
interface: any
filter: (ip or ip6) and ( port 80 )
T -> [A]
T -> [AP]
  GET / HTTP/1.1..Host: keep-alive..Accept: text/htm
  -Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Appl
  eWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36..Accep
  t-Encoding: gzip, deflate..Accept-Language: en-US,en;q=0.8....             
T -> [A]
  HTTP/1.1 200 OK..Date: Mon, 16 Nov 2015 10:03:21 GMT..Server: Apache/2.4.7 
  (Ubuntu)..Last-Modified: Tue, 30 Sep 2014 04:50:44 GMT..ETag: "2cf6-5044120
  3ff100-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding
  : gzip..Content-Length: 3256..Keep-Alive: timeout=5, max=100..Connection: K
  eep-Alive..Content-Type: text/html...............Z.s.6.....U..$'....."...1.
  .`.o.. c>.,&s%W.,..f3N."._p O.R..gYb2.....diL.....x.|p|:....?16&.\.wA.$Z.4.

Leave a reply


We're are building as a community and a team. Be a part of it.


©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?