ngrep

Overview

ngrep (Network Grep) is a network packet sniffer that allows you to search for network packets by applying regex patterns to data payloads. It combines the filtering power of tcpdump with the pattern matching capabilities of grep, making it ideal for finding specific traffic patterns, protocols, or content within network streams without needing to capture and analyze pcap files separately.

ngrep works with network interfaces to capture live traffic or read from pcap files, displaying matching packets in a human-readable format. It’s commonly used for debugging network issues, identifying suspicious traffic patterns, and analyzing communication protocols.

Installation

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install ngrep

Linux (RedHat/CentOS/Fedora)

sudo yum install ngrep
# or
sudo dnf install ngrep

macOS

brew install ngrep

Kali Linux

sudo apt-get install ngrep

Verify Installation

ngrep --version
ngrep -h

Basic Syntax

ngrep [options] <pattern> [<bpf filter>]

Core Concepts

Concept	Description
Pattern	Regular expression to match against packet payloads
BPF Filter	Berkeley Packet Filter for initial packet filtering (optional)
Interface	Network interface to capture from (default: first available)
Payload	Application data within packets (after protocol headers)
Live Capture	Real-time monitoring of network traffic
PCAP File	Pre-recorded packet capture file for offline analysis

Essential Commands

Command	Description
ngrep -q	Quiet mode - only show matches without statistics
ngrep -h	Show help message and exit
ngrep -V	Show version information
ngrep -d interface	Specify network interface to sniff on
ngrep -i pattern	Case-insensitive pattern matching
ngrep -v pattern	Invert match - show packets that DON’T match
ngrep -D file	Read packets from pcap file instead of live capture
ngrep -O file	Write matched packets to pcap file
ngrep -w byteoffset	Show hex and ASCII for matched packets
ngrep -n count	Print first N matching packets
ngrep -A count	Print N lines of ASCII context after match
ngrep -X count	Print N lines of hex context

Common Pattern Examples

Search for HTTP Traffic

ngrep "^GET|^POST" "tcp port 80"

Search for HTTPS/TLS Handshake

ngrep "^(.?){5}(.?)(.?)\x16\x03\x01" tcp port 443

Find DNS Queries

ngrep "^(.?){2}(.?)" "udp port 53"

Search for FTP Authentication

ngrep "^USER|^PASS" "tcp port 21"

Match Email Addresses in Traffic

ngrep "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" tcp

Find Telnet/SSH Credentials

ngrep "login|username|password" "tcp port 23 or tcp port 22"

Search for SQL Queries

ngrep "SELECT|INSERT|UPDATE|DELETE" "tcp port 3306"

Find Unencrypted Passwords

ngrep "pass|pwd|password" "tcp"

Advanced Usage

Capture HTTP Headers and Content

ngrep -q -i "HTTP" "tcp port 80" -A 5

Monitor Specific IP Address

ngrep -q "." "host 192.168.1.100"

Capture All Traffic Between Two IPs

ngrep -q "." "host 192.168.1.100 and host 192.168.1.50"

Find Traffic on Specific Subnet

ngrep -q "." "net 192.168.1.0/24"

Capture and Save Matching Packets

ngrep -q "pattern" -O matches.pcap

Analyze Saved PCAP File

ngrep "pattern" -D saved_capture.pcap

Case-Insensitive Search with Context

ngrep -i -q "login" -A 3 "tcp port 21"

Invert Match - Find Non-HTTP Traffic

ngrep -q -v "HTTP" "tcp port 80"

Show Hex and ASCII Output

ngrep -q -w byteoffset "pattern" tcp

Limit Matches to N Packets

ngrep -q -n 10 "GET|POST" "tcp port 80"

Protocol-Specific Examples

Monitor SMTP Traffic

ngrep -q "EHLO|MAIL FROM|RCPT TO|DATA" "tcp port 25"

Analyze IMAP Commands

ngrep -q "LOGIN|SELECT|FETCH|LOGOUT" "tcp port 143"

Capture POP3 Sessions

ngrep -q "USER|PASS|RETR|DELE" "tcp port 110"

Monitor SNMP Traffic

ngrep -q "." "udp port 161"

Analyze DHCP Packets

ngrep -q "DHCPDISCOVER|DHCPOFFER|DHCPREQUEST|DHCPACK" "udp port 67 or udp port 68"

Monitor LDAP Queries

ngrep -q "SearchRequest|SearchResultEntry" "tcp port 389"

Capture RDP Traffic Indicators

ngrep -q "." "tcp port 3389"

BPF Filter Examples

Filter	Description
tcp port 80	TCP traffic on port 80
udp port 53	UDP traffic on port 53
host 10.0.0.1	Traffic to/from specific IP
net 192.168.0.0/16	Traffic from subnet
src 10.0.0.1	Traffic from source IP
dst 10.0.0.1	Traffic to destination IP
port 443	Traffic on port 443 (TCP/UDP)
tcp and port 22	TCP traffic on port 22
not port 22	Exclude SSH traffic
tcp portrange 1-1024	TCP on well-known ports

Real-World Usage Examples

Find Cleartext Credentials

ngrep -i -q "password|passwd|pwd" "tcp" -A 2

Monitor Web Application Traffic

ngrep -q "GET|POST|PUT|DELETE" "tcp port 80 or tcp port 8080 or tcp port 8443"

Detect Exfiltration Attempts

ngrep -q "." "host !192.168.1.0/24" -w byteoffset

Analysis of API Calls

ngrep -q "api.example.com|/api/" "tcp port 443"

Monitor Database Traffic

ngrep -q "SELECT|INSERT|UPDATE|DELETE" "tcp port 3306 or tcp port 5432 or tcp port 1433"

Capture Malware C&C Communications

ngrep -q "." "host 192.168.1.100" -O c2_traffic.pcap

Performance Optimization

Use BPF Filters to Reduce Load

# Better - filter at kernel level
ngrep -q "GET|POST" "tcp port 80"

# Worse - captures all and filters in userspace
ngrep -q "GET|POST"

Limit Output Size

ngrep -q -n 100 "pattern" "tcp"

Disable DNS Reverse Lookups

ngrep -q -n "pattern"  # -n limits matches

Comparison with Similar Tools

Tool	Purpose	Advantages
ngrep	Pattern matching on packets	Regex support, simple syntax
tcpdump	Capture and display packets	Raw packet capture, flexible
tshark	Packet analysis	Protocol dissection, detailed
Wireshark	GUI packet analysis	Visual interface, comprehensive
strings	Extract ASCII from files	File analysis, simple

Common Troubleshooting

Permission Denied

# ngrep requires root or CAP_NET_RAW
sudo ngrep "pattern"
# or
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/ngrep
ngrep "pattern"

Interface Not Found

# List available interfaces
ngrep -D

No Matches Found

# Verify pattern is correct and interface has traffic
ngrep -q "." # Capture everything to see if interface is active

Pattern Syntax Issues

# Escape special regex characters
ngrep "\[0-9\]+" tcp  # Match numbers
ngrep "GET\s+/api" tcp port 80  # Match with whitespace

Security Considerations

• Always obtain proper authorization before sniffing network traffic
• ngrep requires root/elevated privileges to capture packets
• Sensitive data (passwords, tokens) may be visible in plaintext traffic
• Use appropriate filters to avoid capturing unrelated traffic
• Consider privacy implications when capturing traffic from other users
• Secure any captured pcap files containing sensitive information

Tips and Tricks

Create Regex for Complex Patterns

# Match common password patterns
ngrep "pass[word]*\s*=|password:\s*" "tcp"

# Match URL patterns
ngrep "https?://[^\s\"']+" "tcp"

# Match email patterns
ngrep "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]+" "tcp"

Combine with Other Tools

# Pipe to grep for further filtering
ngrep "pattern" | grep "specific"

# Count matches
ngrep -q "pattern" | wc -l

# Save for later analysis
ngrep "pattern" -O traffic.pcap

Background Monitoring

# Run ngrep in background and log output
ngrep "pattern" > traffic.log 2>&1 &

# Monitor specific interface continuously
ngrep -d eth0 -q "pattern" &

Related Tools

• tcpdump - Lower-level packet capture and filtering
• tshark - Terminal-based Wireshark with protocol dissection
• Wireshark - Comprehensive GUI packet analyzer
• suricata - Network threat detection engine
• zeek - Network security monitoring platform
• strings - Extract ASCII strings from binary data

References

• ngrep man page: man ngrep
• Official documentation and examples
• tcpdump/BPF filter syntax documentation
• Regular expression pattern matching guides