Monitoring network traffic using ‘ngrep’ command


Developers who are working on linux based Operating systems, or using command prompt may be familiar with the topic. But, I guess not all of them because, I was also unaware of this some years ago and one of my client told me about ‘ngrep’.

In this article I will tell you about “Monitoring incoming network traffic using ngrep”. First let’s understand what is ‘ngep’.

# What is ngrep

I guess everybody is familiar with pattern matching using ‘grep’ command, ‘ngrep’ is basically a software package that uses pattern matching of ‘grep’ command to monitor traffic passing through network.

‘ngrep’ is packet analyzer or packet sniffer which is used to monitor network traffic. It uses packet capture library pcap and pattern matching of grep to capture traffic passing through network. It is written by American software architect and entrepreneur Jordan Ritter.

Since ‘ngrep’ uses simple pattern matching logic, this makes it faster and reliable than other traffic monitoring commands. ngrep also can be used to capture traffic on the wire and store pcap dump files, or to read files generated by other sniffer applications, like tcpdump, or wireshark. ngrep has various options or command line arguments.

# Installing ngrep

Installing ngrep is one command installation on ubuntu. It is available with apt-get library and anyone can install it using

$ apt-get install ngrep


Since, ngrep is already installed in my computer, so It shows ‘ngrep is already the newer version’. Latest stable release is ngrep 1.47 and it has covered some major fixes.

# Supported OS

ngrep is open source and it’s source code is available on GitHub. It is supported by various operating systems

  • Linux 2.0+ (RH6+, SuSE, TurboLinux, Debian, Gentoo, Ubuntu, Mandrake, Slackware)/x86, RedHat/alpha Cobalt, (Qube2) Linux/MIPS
  • Solaris 2.5.1, 2.6/SPARC, Solaris 7, Solaris 8/SPARC, Solaris 9/SPARC
  • FreeBSD 2.2.5, 3.1, 3.2, 3.4-RC, 3.4-RELEASE, 4.0, 5.0
  • OpenBSD 2.4 (after upgrading pcap from 0.2), 2.9, 3.0, 3.1+
  • NetBSD 1.5/SPARC
  • Digital Unix V4.0D (OSF/1), Tru64 5.0, Tru64 5.1A
  • HPUX 11
  • IRIX
  • AIX
  • BeOS R5
  • Mac OS X 10+
  • Windows 95, 98, NT, 2000, XP, 2003/x86, 7, 8, 8.1, 10

# How to use

Basic usage : Monitoring network traffic is very easy using ngrep. It supports BPF filter logic, which means to say constraining what ngrep sees and displays is as easy as saying something like “ngrep host and port 25”.  Some examples are as follows

  • Monitor all activity crossing source or destination port 25 (SMTP).

$ ngrep -d any port 25

  • Monitor any network-based syslog traffic for the occurrence of the word “error”. ngrep knows how to convert service port names (on UNIX, located in “/etc/services”) to port numbers.

$ ngrep -d any ‘error’ port syslog

  • Monitor any traffic crossing source or destination port 21 (FTP), looking case-insensitively for the words “user” or “pass”, matched as word-expressions (the match term(s) must have non-alphanumeric, delimiting characters surrounding them).

$ ngrep -wi -d any ‘user|pass’ port 21

HTTP Debugging: This works mostly when you want to see what incoming packets are coming on server while running on website or while working on ReST APIs this is most useful. Because you can directly check what packets are coming on the server and what are they returning.

$ ngrep port 80

Processing PCAP dump files, looking for patterns : To save a PCAP dump file from ngrep is very easy; simply run ngrep as you normally would but add one more command line option: “-O some.file.dump” (the name of the file is largely irrelevant). To illustrate another feature of ngrep, we will use the “-T” option (print time differential information).

$ ngrep -O /tmp/dns.dump -d any -T port domain

Processing PCAP dump files, looking for patterns

”-t” means print the absolute timestamp on the packet

“-D” means replay the packets by the time interval at which they were recorded.

That’s all about ngrep. If you guys have some more information, do let me know in comment section.

Try ngrep. It is really helpful.

Also read : Easy steps to create Microsoft virtual machine