Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
ngrep
open-in-new
<h2 id="functionality">Functionality</h2> <p>ngrep is similar to <a href="/facts/Tcpdump/BrEsLNUC">tcpdump</a>, but it has the ability to look for a <a href="/facts/Regular_expression/KFL3veHX">regular expression</a> in the payload of the packet, and show the matching packets on a screen or console. It allows users to see all unencrypted traffic being passed over the network, by putting the network interface into <a href="/facts/Promiscuous_mode/DBcSVsK4">promiscuous mode</a>. </p><p>ngrep with an appropriate BPF filter syntax, can be used to debug plain text protocols interactions like <a href="/facts/HTTP/TWtvf7JD">HTTP</a>, <a href="/facts/SMTP/TeCRKDpJ">SMTP</a>, <a href="/facts/FTP/THuWgzfw">FTP</a>, <a href="/facts/Domain_Name_System/rfxdWFsj">DNS</a>, among others, or to search for a specific <a href="/facts/String_(computer_science)/4ChJu5WS">string</a> or pattern, using a grep regular expression syntax.<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a><a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> </p><p>ngrep also can be used to capture traffic on the wire and store pcap dump files, or to read files generated by other sniffer applications like tcpdump or <a href="/facts/Wireshark/tTRY1DJr">wireshark</a>. </p><p>ngrep has various options or command line arguments. The ngrep <a href="/facts/Man_page/S2yYjy0J">man page</a> in <a href="/facts/UNIX-like/YAKrAxzd">UNIX-like</a> <a href="/facts/Operating_systems/8XTuvMh2">operating systems</a> show a list of available options. </p> <h2 id="using-ngrep">Using ngrep</h2> <p>In these examples, it is assumed that <i>eth0</i> is the used network interface. </p> <ul><li>Capture network traffic incoming/outgoing to/from eth0 interface and show parameters following HTTP (TCP/80) GET or POST methods</li></ul> ngrep -l -q -d eth0 -i "^GET |^POST " tcp and port 80 <ul><li>Capture network traffic incoming/outgoing to/from eth0 interface and show the HTTP (TCP/80) User-Agent string</li></ul> ngrep -l -q -d eth0 -i "User-Agent: " tcp and port 80 <ul><li>Capture network traffic incoming/outgoing to/from eth0 interface and show the DNS (UDP/53) querys and responses</li></ul> ngrep -l -q -d eth0 -i "" udp and port 53 <h2 id="security">Security</h2> <p>Capturing raw network traffic from an interface requires special privileges or <a href="/facts/Superuser/0Brr6ol7">superuser</a> privileges on some platforms, especially on Unix-like systems. ngrep default behavior is to drop privileges in those platforms, running under a specific unprivileged user. </p><p>Like tcpdump, it is also possible to use ngrep for the specific purpose of intercepting and displaying the communications of another user or computer, or an entire network. </p><p>A privileged user running ngrep in a server or workstation connected to a device configured with <a href="/facts/Port_mirroring/QgylR1gB">port mirroring</a> on a <a href="/facts/Switch/vqbNDgYm">switch</a>, <a href="/facts/Router_(computing)/Nh5cIyVf">router</a>, or <a href="/facts/Gateway_(telecommunications)/YTYSqhqN">gateway</a>, or connected to any other device used for network traffic capture on a <a href="/facts/Local_area_network/edUDxJ6J">LAN</a>, <a href="/facts/Metropolitan_area_network/NtJvkYjf">MAN</a>, or <a href="/facts/Wide_area_network/mAkW4gr3">WAN</a>, can watch all unencrypted information related to login ID's, passwords, or <a href="/facts/Uniform_Resource_Locator/pPD5g7Wq">URLs</a> and content of websites being viewed in that network. </p> <h2 id="supported-protocols">Supported protocols</h2> <ul><li><a href="/facts/IPv4/bnQ5MEqm">IPv4</a> and <a href="/facts/IPv6/d4dg7kIL">IPv6</a>, Internet Protocol version 4 and version 6</li> <li><a href="/facts/Transmission_Control_Protocol/WW4sPrt9">TCP</a>, Transmission Control Protocol</li> <li><a href="/facts/User_Datagram_Protocol/dxLU0D6q">UDP</a>, User Datagram Protocol</li> <li><a href="/facts/ICMPv4/VnrV56J0">ICMPv4</a> and <a href="/facts/ICMPv6/da3RlVb8">ICMPv6</a>, Internet Control Message Protocol version 4 and version 6</li> <li><a href="/facts/IGMP/MEzn1aTF">IGMP</a>, Internet Group Management Protocol</li> <li><a href="/facts/Ethernet/nMfhU8tU">Ethernet</a>, <a href="/facts/IEEE_802.3/Q9jxNSNT">IEEE 802.3</a></li> <li><a href="/facts/Point-to-Point_Protocol/XLaU6D71">PPP</a>, Point to Point Protocol</li> <li><a href="/facts/Serial_Line_Internet_Protocol/oqUaoA0f">SLIP</a>, Serial Line Internet Protocol</li> <li><a href="/facts/FDDI/nowmb0ue">FDDI</a>, Fiber Data Distribution Protocol</li> <li><a href="/facts/Token_Ring/mfQj6GSx">Token Ring</a>, <a href="/facts/IEEE_802.5/mfQj6GSx">IEEE 802.5</a></li></ul> <h2 id="see-also">See also</h2> <ul> <li>Free and open-source software portal</li></ul> <ul><li><a href="/facts/Comparison_of_packet_analyzers/FUUe4wcJ">Comparison of packet analyzers</a></li> <li><a href="/facts/Snoop_(software)/ofUCjQyY">snoop</a>, a <a href="/facts/Command_line/R9JpGmXQ">command line</a> <a href="/facts/Packet_analyzer/mFQP7gWB">packet analyzer</a> included with <a href="/facts/Solaris_(operating_system)/KPfT98EJ">Solaris</a> and <a href="/facts/Illumos/helcbXv6">illumos</a></li> <li><a href="/facts/Dsniff/NRwsVIBz">dsniff</a>, a <a href="/facts/Packet_sniffer/mFQP7gWB">packet sniffer</a> and set of traffic analysis tools</li> <li><a href="/facts/Netsniff-ng/xvYja66U">netsniff-ng</a>, a free Linux networking toolkit</li> <li><a href="/facts/Etherape/YhE4FTkf">etherape</a>, a network mapping tool that relies on sniffing traffic</li> <li><a href="/facts/Tcptrace/a5KT7V7S">tcptrace</a>, a tool for analyzing the logs produced by tcpdump</li> <li><a href="/facts/Microsoft_Network_Monitor/QLUp8BqC">Microsoft Network Monitor</a>, a <a href="/facts/Packet_analyzer/mFQP7gWB">packet analyzer</a></li> <li><a href="/facts/Xplico/qNgD4VyT">xplico</a>, a <a href="/facts/Network_forensics/gHXVqh07">network forensics</a> analysis tool</li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://ngrep.sourceforge.net/">Official site for ngrep</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>ngrep supported platforms <a href="http://ngrep.sourceforge.net/download.html" target="_blank">http://ngrep.sourceforge.net/download.html</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>ngrep and regular expressions <a href="http://www.stearns.org/doc/ngrep-intro.current.html" target="_blank">http://www.stearns.org/doc/ngrep-intro.current.html</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>ngrep usage <a href="http://ngrep.sourceforge.net/usage.html" target="_blank">http://ngrep.sourceforge.net/usage.html</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> </ol>