Overview
ngrep (Network Grep) is a network packet sniffer that allows you to search for network packets by applying regex patterns to data payloads. It combines the filtering power of tcpdump with the pattern matching capabilities of grep, making it ideal for finding specific traffic patterns, protocols, or content within network streams without needing to capture and analyze pcap files separately.
ngrep works with network interfaces to capture live traffic or read from pcap files, displaying matching packets in a human-readable format. It’s commonly used for debugging network issues, identifying suspicious traffic patterns, and analyzing communication protocols.
Installation
Linux (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install ngrep
Linux (RedHat/CentOS/Fedora)
sudo yum install ngrep
# or
sudo dnf install ngrep
macOS
brew install ngrep
Kali Linux
sudo apt-get install ngrep
Verify Installation
ngrep --version
ngrep -h
Basic Syntax
ngrep [options] <pattern> [<bpf filter>]
Core Concepts
| Concept | Description |
|---|
| Pattern | Regular expression to match against packet payloads |
| BPF Filter | Berkeley Packet Filter for initial packet filtering (optional) |
| Interface | Network interface to capture from (default: first available) |
| Payload | Application data within packets (after protocol headers) |
| Live Capture | Real-time monitoring of network traffic |
| PCAP File | Pre-recorded packet capture file for offline analysis |
Essential Commands
| Command | Description |
|---|
ngrep -q | Quiet mode - only show matches without statistics |
ngrep -h | Show help message and exit |
ngrep -V | Show version information |
ngrep -d interface | Specify network interface to sniff on |
ngrep -i pattern | Case-insensitive pattern matching |
ngrep -v pattern | Invert match - show packets that DON’T match |
ngrep -D file | Read packets from pcap file instead of live capture |
ngrep -O file | Write matched packets to pcap file |
ngrep -w byteoffset | Show hex and ASCII for matched packets |
ngrep -n count | Print first N matching packets |
ngrep -A count | Print N lines of ASCII context after match |
ngrep -X count | Print N lines of hex context |
Common Pattern Examples
Search for HTTP Traffic
ngrep "^GET|^POST" "tcp port 80"
Search for HTTPS/TLS Handshake
ngrep "^(.?){5}(.?)(.?)\x16\x03\x01" tcp port 443
Find DNS Queries
ngrep "^(.?){2}(.?)" "udp port 53"
Search for FTP Authentication
ngrep "^USER|^PASS" "tcp port 21"
Match Email Addresses in Traffic
ngrep "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" tcp
Find Telnet/SSH Credentials
ngrep "login|username|password" "tcp port 23 or tcp port 22"
Search for SQL Queries
ngrep "SELECT|INSERT|UPDATE|DELETE" "tcp port 3306"
Find Unencrypted Passwords
ngrep "pass|pwd|password" "tcp"
Advanced Usage
Capture HTTP Headers and Content
ngrep -q -i "HTTP" "tcp port 80" -A 5
Monitor Specific IP Address
ngrep -q "." "host 192.168.1.100"
Capture All Traffic Between Two IPs
ngrep -q "." "host 192.168.1.100 and host 192.168.1.50"
Find Traffic on Specific Subnet
ngrep -q "." "net 192.168.1.0/24"
Capture and Save Matching Packets
ngrep -q "pattern" -O matches.pcap
Analyze Saved PCAP File
ngrep "pattern" -D saved_capture.pcap
Case-Insensitive Search with Context
ngrep -i -q "login" -A 3 "tcp port 21"
Invert Match - Find Non-HTTP Traffic
ngrep -q -v "HTTP" "tcp port 80"
Show Hex and ASCII Output
ngrep -q -w byteoffset "pattern" tcp
Limit Matches to N Packets
ngrep -q -n 10 "GET|POST" "tcp port 80"
Protocol-Specific Examples
Monitor SMTP Traffic
ngrep -q "EHLO|MAIL FROM|RCPT TO|DATA" "tcp port 25"
Analyze IMAP Commands
ngrep -q "LOGIN|SELECT|FETCH|LOGOUT" "tcp port 143"
Capture POP3 Sessions
ngrep -q "USER|PASS|RETR|DELE" "tcp port 110"
Monitor SNMP Traffic
ngrep -q "." "udp port 161"
Analyze DHCP Packets
ngrep -q "DHCPDISCOVER|DHCPOFFER|DHCPREQUEST|DHCPACK" "udp port 67 or udp port 68"
Monitor LDAP Queries
ngrep -q "SearchRequest|SearchResultEntry" "tcp port 389"
Capture RDP Traffic Indicators
ngrep -q "." "tcp port 3389"
BPF Filter Examples
| Filter | Description |
|---|
tcp port 80 | TCP traffic on port 80 |
udp port 53 | UDP traffic on port 53 |
host 10.0.0.1 | Traffic to/from specific IP |
net 192.168.0.0/16 | Traffic from subnet |
src 10.0.0.1 | Traffic from source IP |
dst 10.0.0.1 | Traffic to destination IP |
port 443 | Traffic on port 443 (TCP/UDP) |
tcp and port 22 | TCP traffic on port 22 |
not port 22 | Exclude SSH traffic |
tcp portrange 1-1024 | TCP on well-known ports |
Real-World Usage Examples
Find Cleartext Credentials
ngrep -i -q "password|passwd|pwd" "tcp" -A 2
Monitor Web Application Traffic
ngrep -q "GET|POST|PUT|DELETE" "tcp port 80 or tcp port 8080 or tcp port 8443"
Detect Exfiltration Attempts
ngrep -q "." "host !192.168.1.0/24" -w byteoffset
Analysis of API Calls
ngrep -q "api.example.com|/api/" "tcp port 443"
Monitor Database Traffic
ngrep -q "SELECT|INSERT|UPDATE|DELETE" "tcp port 3306 or tcp port 5432 or tcp port 1433"
Capture Malware C&C Communications
ngrep -q "." "host 192.168.1.100" -O c2_traffic.pcap
Use BPF Filters to Reduce Load
# Better - filter at kernel level
ngrep -q "GET|POST" "tcp port 80"
# Worse - captures all and filters in userspace
ngrep -q "GET|POST"
Limit Output Size
ngrep -q -n 100 "pattern" "tcp"
Disable DNS Reverse Lookups
ngrep -q -n "pattern" # -n limits matches
| Tool | Purpose | Advantages |
|---|
| ngrep | Pattern matching on packets | Regex support, simple syntax |
| tcpdump | Capture and display packets | Raw packet capture, flexible |
| tshark | Packet analysis | Protocol dissection, detailed |
| Wireshark | GUI packet analysis | Visual interface, comprehensive |
| strings | Extract ASCII from files | File analysis, simple |
Common Troubleshooting
Permission Denied
# ngrep requires root or CAP_NET_RAW
sudo ngrep "pattern"
# or
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/ngrep
ngrep "pattern"
Interface Not Found
# List available interfaces
ngrep -D
No Matches Found
# Verify pattern is correct and interface has traffic
ngrep -q "." # Capture everything to see if interface is active
Pattern Syntax Issues
# Escape special regex characters
ngrep "\[0-9\]+" tcp # Match numbers
ngrep "GET\s+/api" tcp port 80 # Match with whitespace
Security Considerations
- Always obtain proper authorization before sniffing network traffic
- ngrep requires root/elevated privileges to capture packets
- Sensitive data (passwords, tokens) may be visible in plaintext traffic
- Use appropriate filters to avoid capturing unrelated traffic
- Consider privacy implications when capturing traffic from other users
- Secure any captured pcap files containing sensitive information
Tips and Tricks
Create Regex for Complex Patterns
# Match common password patterns
ngrep "pass[word]*\s*=|password:\s*" "tcp"
# Match URL patterns
ngrep "https?://[^\s\"']+" "tcp"
# Match email patterns
ngrep "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]+" "tcp"
# Pipe to grep for further filtering
ngrep "pattern" | grep "specific"
# Count matches
ngrep -q "pattern" | wc -l
# Save for later analysis
ngrep "pattern" -O traffic.pcap
Background Monitoring
# Run ngrep in background and log output
ngrep "pattern" > traffic.log 2>&1 &
# Monitor specific interface continuously
ngrep -d eth0 -q "pattern" &
- tcpdump - Lower-level packet capture and filtering
- tshark - Terminal-based Wireshark with protocol dissection
- Wireshark - Comprehensive GUI packet analyzer
- suricata - Network threat detection engine
- zeek - Network security monitoring platform
- strings - Extract ASCII strings from binary data
References
- ngrep man page:
man ngrep
- Official documentation and examples
- tcpdump/BPF filter syntax documentation
- Regular expression pattern matching guides
