ngrep (

network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

grep grep is a command-line utility for searching plaintext datasets for lines that match a regular expression. Its name comes from the ed command g/re/p (global regular expression search and print), which has the same effect. grep was originally de ...

) is a network

packet analyzer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capt ...

written by

Jordan Ritter Jordan Ritter (born February 1, 1978) is an American serial entrepreneur, software architect and angel investor. He is best known for his work at Napster, the file-sharing service he co-founded along with Shawn Fanning and others. His time at Naps ...

. It has a

command-line interface A command-line interface (CLI) is a means of interacting with software via command (computing), commands each formatted as a line of text. Command-line interfaces emerged in the mid-1960s, on computer terminals, as an interactive and more user ...

, and relies upon the

pcap In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of ''packet capture'', that is not the API's proper name. Unix-like systems ...

library and the

GNU GNU ( ) is an extensive collection of free software (394 packages ), which can be used as an operating system or can be used in parts with other operating systems. The use of the completed GNU tools led to the family of operating systems popu ...

regex A regular expression (shortened as regex or regexp), sometimes referred to as rational expression, is a sequence of characters that specifies a match pattern in text. Usually such patterns are used by string-searching algorithms for "find" ...

library. ngrep supports

Berkeley Packet Filter The Berkeley Packet Filter (BPF; also BSD Packet Filter, classic BPF or cBPF) is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to da ...

( BPF) logic to select network sources or destinations or protocols, and also allows matching patterns or

regular expressions A regular expression (shortened as regex or regexp), sometimes referred to as rational expression, is a sequence of character (computing), characters that specifies a pattern matching, match pattern in string (computer science), text. Usually ...

in the data payload of packets using

syntax, showing packet data in a human-friendly way. ngrep is an open source application, and the source code is available to download from the ngrep site on

GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...

. It can be compiled and ported to multiple platforms, it works in many

UNIX-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

operating systems An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

Solaris Solaris is the Latin word for sun. It may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Sol ...

illumos Illumos (stylized as "illumos") is a partly free and open-source Unix operating system. It has been developed since 2010 and is based on OpenSolaris, after the discontinuation of that product by Oracle. It comprises a kernel, device driver ...

BSD The Berkeley Software Distribution (BSD), also known as Berkeley Unix or BSD Unix, is a discontinued Unix operating system developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berkeley, beginni ...

AIX Aix or AIX may refer to: Computing * AIX, a line of IBM computer operating systems *Alternate index, for an IBM Virtual Storage Access Method key-sequenced data set * Athens Internet Exchange, a European Internet exchange point Places Belg ...

, and also works on

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

.ngrep supported platforms
/ref>

Functionality

ngrep is similar to

tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distr ...

, but it has the ability to look for a

regular expression A regular expression (shortened as regex or regexp), sometimes referred to as rational expression, is a sequence of characters that specifies a match pattern in text. Usually such patterns are used by string-searching algorithms for "find" ...

in the payload of the packet, and show the matching packets on a screen or console. It allows users to see all unencrypted traffic being passed over the network, by putting the network interface into

promiscuous mode In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rath ...

. ngrep with an appropriate BPF filter syntax, can be used to debug plain text protocols interactions like

HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typi ...

FTP The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and dat ...

DNS The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various informatio ...

, among others, or to search for a specific

string String or strings may refer to: *String (structure), a long flexible structure made from threads twisted together, which is used to tie, bind, or hang other objects Arts, entertainment, and media Films * ''Strings'' (1991 film), a Canadian anim ...

or pattern, using a regular expression syntax.ngrep and regular expressions
/ref>
/ref> ngrep also can be used to capture traffic on the wire and store pcap dump files, or to read files generated by other sniffer applications like tcpdump or

wireshark Wireshark is a Free and open-source software, free and open-source packet analyzer. It is used for computer network, network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, ...

. ngrep has various options or command line arguments. The ngrep

man page A man page (short for manual page) is a form of software documentation found on Unix and Unix-like operating systems. Topics covered include programs, system libraries, system calls, and sometimes local system details. The local host administr ...

show a list of available options.

Using ngrep

In these examples, it is assumed that ''eth0'' is the used network interface. * Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods ngrep -l -q -d eth0 -i "^GET , ^POST " tcp and port 80 * Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80 * Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses ngrep -l -q -d eth0 -i "" udp and port 53

Security

Capturing raw network traffic from an interface requires special privileges or

superuser In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the ...

privileges on some platforms, especially on Unix-like systems. ngrep default behavior is to drop privileges in those platforms, running under a specific unprivileged user. Like tcpdump, it is also possible to use ngrep for the specific purpose of intercepting and displaying the communications of another user or computer, or an entire network. A privileged user running ngrep in a server or workstation connected to a device configured with

port mirroring Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require moni ...

on a

switch In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type o ...

, router, or gateway, or connected to any other device used for network traffic capture on a

LAN Lan or LAN may refer to: Science and technology * Local asymptotic normality, a fundamental property of regular models in statistics * Longitude of the ascending node, one of the orbital elements used to specify the orbit of an object in space * ...

MAN A man is an adult male human. Before adulthood, a male child or adolescent is referred to as a boy. Like most other male mammals, a man's genome usually inherits an X chromosome from the mother and a Y chromosome from the f ...

, or WAN, can watch all unencrypted information related to login ID's, passwords, or

URL A uniform resource locator (URL), colloquially known as an address on the Web, is a reference to a resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identi ...

s and content of websites being viewed in that network.

Supported protocols

IPv4 Internet Protocol version 4 (IPv4) is the first version of the Internet Protocol (IP) as a standalone specification. It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. ...

and

IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...

, Internet Protocol version 4 and version 6 * TCP, Transmission Control Protocol * UDP, User Datagram Protocol * ICMPv4 and

ICMPv6 Internet Control Message Protocol version 6 (ICMPv6) is the implementation of the Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6). ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic fu ...

, Internet Control Message Protocol version 4 and version 6 *

IGMP The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral part of IP multicast and allows the network to direct m ...

, Internet Group Management Protocol *

Ethernet Ethernet ( ) is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...

IEEE 802.3 IEEE 802.3 is a working group and a collection of standards defining the physical layer and data link layer's media access control (MAC) of wired Ethernet. The standards are produced by the working group of the Institute of Electrical and Electro ...

* PPP, Point to Point Protocol *

SLIP Slip or The Slip may refer to: * Slip (clothing), an underdress or underskirt Music * The Slip (band), a rock band * ''Slip'' (album), a 1993 album by the band Quicksand * ''The Slip'' (album) (2008), a.k.a. Halo 27, the seventh studio al ...

, Serial Line Internet Protocol *

FDDI Fiber Distributed Data Interface (FDDI) is a standard for data transmission in a local area network. It uses optical fiber as its standard underlying physical medium. It was also later specified to use copper cable, in which case it may be c ...

, Fiber Data Distribution Protocol *

Token Ring Token Ring is a Physical layer, physical and data link layer computer networking technology used to build local area networks. It was introduced by IBM in 1984, and standardized in 1989 as IEEE Standards Association, IEEE 802.5. It uses a sp ...

IEEE 802.5 Token Ring is a Physical layer, physical and data link layer computer networking technology used to build local area networks. It was introduced by IBM in 1984, and standardized in 1989 as IEEE Standards Association, IEEE 802.5. It uses a sp ...

References

{{Reflist

External links