ngrep (

network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

grep grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command ''g/re/p'' (''globally search for a regular expression and print matching lines''), which has the sam ...

) is a network

packet analyzer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or p ...

written by

Jordan Ritter Jordan Ritter (born February 1, 1978) is an American serial entrepreneur, software architect and angel investor. He is best known for his work at Napster, the file-sharing service he co-founded along with Shawn Fanning and others. His time at N ...

. It has a

command-line interface A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...

, and relies upon the

pcap In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of ''packet capture'', that is not the API's proper name. Unix-like systems ...

library and the

GNU GNU () is an extensive collection of free software (383 packages as of January 2022), which can be used as an operating system or can be used in parts with other operating systems. The use of the completed GNU tools led to the family of operat ...

regex A regular expression (shortened as regex or regexp; sometimes referred to as rational expression) is a sequence of characters that specifies a search pattern in text. Usually such patterns are used by string-searching algorithms for "find" or ...

library. ngrep supports

Berkeley Packet Filter The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets ...

( BPF) logic to select network sources or destinations or protocols, and also allows matching patterns or

regular expressions A regular expression (shortened as regex or regexp; sometimes referred to as rational expression) is a sequence of characters that specifies a search pattern in text. Usually such patterns are used by string-searching algorithms for "find" or ...

in the data payload of packets using

syntax, showing packet data in a human-friendly way. ngrep is an open source application, and the source code is available to download from the ngrep site on

SourceForge SourceForge is a web service that offers software consumers a centralized online location to control and manage open-source software projects and research business software. It provides source code repository hosting, bug tracking, mirrorin ...

. It can be compiled and ported to multiple platforms, it works in many

UNIX-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

operating systems An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also inc ...

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

Solaris Solaris may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Solaris'' (1972 film), directed by ...

illumos Illumos (stylized as illumos) is a partly free and open-source Unix operating system. It is based on OpenSolaris, which was based on System V Release 4 (SVR4) and the Berkeley Software Distribution (BSD). Illumos comprises a kernel, device ...

BSD The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berk ...

AIX Aix or AIX may refer to: Computing * AIX, a line of IBM computer operating systems *An Alternate Index, for a Virtual Storage Access Method Key Sequenced Data Set *Athens Internet Exchange, a European Internet exchange point Places Belgium ...

, and also works on

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

.ngrep supported platforms
/ref>

Functionality

ngrep is similar to

tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distribut ...

, but it has the ability to look for a

regular expression A regular expression (shortened as regex or regexp; sometimes referred to as rational expression) is a sequence of characters that specifies a search pattern in text. Usually such patterns are used by string-searching algorithms for "find" or ...

in the payload of the packet, and show the matching packets on a screen or console. It allows users to see all unencrypted traffic being passed over the network, by putting the network interface into

promiscuous mode In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rathe ...

. ngrep with an appropriate BPF filter syntax, can be used to debug plain text protocols interactions like

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...

FTP The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...

DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

, among others, or to search for a specific

string String or strings may refer to: *String (structure), a long flexible structure made from threads twisted together, which is used to tie, bind, or hang other objects Arts, entertainment, and media Films * ''Strings'' (1991 film), a Canadian anim ...

or pattern, using a regular expression syntax.ngrep and regular expressions
/ref>
/ref> ngrep also can be used to capture traffic on the wire and store pcap dump files, or to read files generated by other sniffer applications, like tcpdump, or

wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...

. ngrep has various options or command line arguments. The ngrep

man page A man page (short for manual page) is a form of software documentation usually found on a Unix or Unix-like operating system. Topics covered include computer programs (including library and system calls), formal standards and conventions, and ev ...

show a list of available options.

Using ngrep

In these examples, it is assumed that ''eth0'' is the used network interface. * Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods ngrep -l -q -d eth0 -i "^GET , ^POST " tcp and port 80 * Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80 * Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses ngrep -l -q -d eth0 -i "" udp and port 53

Security

Capturing raw network traffic from an interface requires special privileges or

superuser In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...

privileges on some platforms, especially on Unix-like systems. ngrep default behavior is to drop privileges in those platforms, running under a specific unprivileged user. Like tcpdump, it is also possible to use ngrep for the specific purpose of intercepting and displaying the communications of another user or computer, or an entire network. A privileged user running ngrep in a server or workstation connected to a device configured with

port mirroring Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitor ...

on a

switch In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...

, router, or gateway, or connected to any other device used for network traffic capture on a LAN,

MAN A man is an adult male human. Prior to adulthood, a male human is referred to as a boy (a male child or adolescent). Like most other male mammals, a man's genome usually inherits an X chromosome from the mother and a Y chromos ...

, or WAN, can watch all unencrypted information related to login ID's, passwords, or URLs and content of websites being viewed in that network.

Supported protocols

IPv4 Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version de ...

and

IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...

, Internet Protocol version 4 and version 6 * TCP, Transmission Control Protocol * UDP, User Datagram Protocol * ICMPv4 and

ICMPv6 Internet Control Message Protocol version 6 (ICMPv6) is the implementation of the Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6). ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic func ...

, Internet Control Message Protocol version 4 and version 6 *

IGMP The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral part of IP multicast and allows the network to direct m ...

, Internet Group Management Protocol *

Ethernet Ethernet () is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...

IEEE 802.3 IEEE 802.3 is a working group and a collection standards defining the physical layer and data link layer's media access control (MAC) of wired Ethernet. The standards are produced by the working group of Institute of Electrical and Electronics Eng ...

* PPP, Point to Point Protocol *

SLIP Slip or SLIP may refer to: Science and technology Biology * Slip (fish), also known as Black Sole * Slip (horticulture), a small cutting of a plant as a specimen or for grafting * Muscle slip, a branching of a muscle, in anatomy Computing and ...

, Serial Line Internet Protocol *

FDDI Fiber Distributed Data Interface (FDDI) is a standard for data transmission in a local area network. It uses optical fiber as its standard underlying physical medium, although it was also later specified to use copper cable, in which case it m ...

, Fiber Data Distribution Protocol *

Token Ring Token Ring network IBM hermaphroditic connector with locking clip. Screen contacts are prominently visible, gold-plated signal contacts less so. Token Ring is a computer networking technology used to build local area networks. It was introduc ...

IEEE 802.5 Token Ring network IBM hermaphroditic connector with locking clip. Screen contacts are prominently visible, gold-plated signal contacts less so. Token Ring is a computer networking technology used to build local area networks. It was introduc ...

References

{{Reflist

External links