$linuxjunkies
>

ngrep(1)

Network grep: search for and display packets matching a pattern on a network interface.

UbuntuDebianFedoraArch

Synopsis

ngrep [OPTIONS] [PCRE] [FILTER]

Description

ngrep is a network packet analyzer that allows you to search for, display, and understand network traffic based on pattern matching. It combines the filtering capabilities of tcpdump with the pattern matching of grep to find specific data within network packets. Unlike tcpdump which shows packet headers, ngrep displays packet payload content and can search for ASCII text or hexadecimal patterns.

ngrep uses PCRE (Perl Compatible Regular Expressions) for pattern matching and can apply BPF (Berkeley Packet Filter) syntax for network filtering. It's useful for debugging protocols, monitoring specific traffic types, and analyzing network communications in real time.

Common options

FlagWhat it does
-i <interface>Listen on specified network interface (e.g., eth0, wlan0)
-d <device>Read from pcap file instead of live interface
-pDo not put the interface into promiscuous mode
-qQuiet mode; print matches only, no headers or packet info
-vInvert match; show packets that do NOT match the pattern
-xInterpret pattern as hexadecimal instead of text
-ICase-insensitive pattern matching
-wMatch pattern as whole words only
-n <count>Exit after capturing count packets
-W <format>Save packets to a file in pcap format (use 'normal' or 'byline')
-O <file>Write captured packets to a pcap file
-s <bytes>Capture only first bytes of each packet (snapshot length)

Examples

Capture all HTTP traffic on eth0 and display lines containing 'HTTP'

ngrep -i eth0 'HTTP'

Search for the word 'password' in TCP traffic on port 80

ngrep -i eth0 'password' 'tcp port 80'

Case-insensitive search for 'login' or 'LOGIN' or any case variation

ngrep -i eth0 -I 'login'

Search for hexadecimal pattern '48656c6c6f' (which is 'Hello' in ASCII)

ngrep -i eth0 -x '48656c6c6f'

Show DNS traffic on port 53 that does NOT contain the word 'DNS'

ngrep -i eth0 -v 'DNS' 'port 53'

Search for 'GET' requests in a previously captured pcap file

ngrep -d capture.pcap 'GET' 'tcp port 80'

Capture 100 packets starting with 'GET' and save to capture.pcap

ngrep -i eth0 -O capture.pcap -n 100 '^GET'

Quietly match SMTP greeting responses, showing only matching lines

ngrep -i eth0 -q '^220.*SMTP'

Related commands