![\"\"](\"https:\/\/gtechbooster.com\/media\/2025\/08\/jesdphis.avif\")
<\/a><\/div><\/div>It allows you to specify an extended regular or hexadecimal expression to match against data payloads (the actual information or message in transmitted data, but not auto-generated metadata) of packets.<\/p>\n\n\n\n
This tool works with various types of protocols, including IPv4\/6, TCP, UDP, ICMPv4\/6, IGMP as well as Raw on a number of interfaces. It operates in the same fashion as\u00a0tcpdump packet sniffing tool<\/a>.<\/p>\n\n\n\n The package\u00a0ngrep\u00a0is available to install from the default system repositories in mainstream Linux distributions using package management tool as shown.<\/p>\n\n\n\n After installing ngrep<\/strong>, you can start analyzing traffic on your Linux network using following examples.<\/p>\n\n\n\n 1.<\/strong> The following command will help you match all ping requests on the default working interface. You need to open another terminal and try to ping another remote machine. The You can press 3.<\/strong> If you are surfing the web, then run the following command to monitor which files your browser is requesting:.<\/p>\n\n\n\n 4.<\/strong> To see all activity crossing source or destination port 25<\/strong> (SMTP<\/strong>), run the following command.<\/p>\n\n\n\n 5.<\/strong> To monitor any network-based syslog traffic for the occurrence of the word \u201cerror\u201d<\/strong>, use the following command.<\/p> Importantly, this tool can convert service port names stored in \u201c\/etc\/services\u201d<\/strong> (on Unix-like systems such as Linux) to port numbers. This command is equivalent to the above command.<\/p>\n\n\n\n 6.<\/strong> You can also run ngrep against an HTTP<\/strong> server (port 80<\/strong>), it will match all requests to the destination host as shown.<\/p>\n\n\n\n As you can see in the above output all HTTP headers transmission are displayed in their gory detail. It\u2019s hard to parse though, so let\u2019s watch what happens when you apply 7.<\/strong> To print a timestamp<\/strong> in the form of YYYY\/MM\/DD HH:MM:SS.UUUUUU<\/strong> every time a packet is matched, use the -t<\/strong> flag.<\/p>\n\n\n\n 8.<\/strong> To avoid putting the interface being monitored into promiscuous mode (where it intercepts and reads each network packet that arrives in its entirety), add the 9.<\/strong> Another important option is For more information, see the ngrep<\/strong> man page.<\/p>\n\n\n\n ngrep Github repository: https:\/\/github.com\/jpr5\/ngrep<\/a><\/p>\n\n\n\n That\u2019s all! Ngrep<\/strong> (network grep<\/strong>) is a network packet analyzer that understands BPF filter logic in the same fashion tcpdump.<\/p>\n$ sudo apt install ngrep\n$ sudo yum install ngrep\n$ sudo dnf install ngrep<\/pre>\n\n\n\n
-q<\/code> flag tell ngrep<\/strong> to work quietly, to not output any information other than packet headers and their payloads.<\/p>\n\n\n\n$ sudo ngrep -q '.' 'icmp'<\/strong>\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\nfilter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6)))\nmatch: .\nI 192.168.0.104 -> 192.168.0.103 8:0\n]...~oG[....j....................... !\"#$%&'()*+,-.\/01234567\nI 192.168.0.103 -> 192.168.0.104 0:0\n]...~oG[....j....................... !\"#$%&'()*+,-.\/01234567\nI 192.168.0.104 -> 192.168.0.103 8:0\n]....oG[............................ !\"#$%&'()*+,-.\/01234567\nI 192.168.0.103 -> 192.168.0.104 0:0\n]....oG[............................ !\"#$%&'()*+,-.\/01234567\n<\/pre>\n\n\n\n
Ctrl + C<\/code> to terminate it.
2.<\/strong> To match only traffic going to a particular destination site, for instance \u2018google.com\u2019<\/strong>, run the following command, then try to access it from a browser.<\/p>\n\n\n\n$ sudo ngrep -q '.' 'host google.com'<\/strong>\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\nfilter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))\nmatch: .\nT 172.217.160.174:443 -> 192.168.0.103:54008 [AP]\n..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>......p..@..EV..\nT 172.217.160.174:443 -> 192.168.0.103:54008 [AP]\n.............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;.$@Yv.Q6\n<\/pre>\n\n\n\n$ sudo ngrep -q '^GET .* HTTP\/1.[01]'<\/strong>\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\nfilter: ((ip || ip6) || (vlan && (ip || ip6)))\nmatch: ^GET .* HTTP\/1.[01]\nT 192.168.0.104:43040 -> 172.217.160.174:80 [AP]\nGET \/ HTTP\/1.1..Host: google.com..User-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64;\nGNU C 4.8.5; text)..Accept: *\/*..Accept-Language: en,*;q=0.1..Accept-\nEncoding: gzip, deflate, bzip2..Accept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,\nISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,I\nSO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256,\nwindows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x-\nkam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8..Connection: keep-alive....<\/pre>\n\n\n\n
$ sudo ngrep port 25<\/strong><\/pre>\n\n\n\n
<\/a><\/div><\/div>\n\n\n\n$ sudo ngrep -d any 'error' port 514\n<\/pre>\n\n\n\n
$ sudo ngrep -d any 'error' port syslog<\/pre>\n\n\n\n
$ sudo ngrep port 80<\/strong>\ninterface: eth0 (64.90.164.72\/255.255.255.252)\nfilter: ip and ( port 80 )\n####\nT 67.169.59.38:42167 -> 64.90.164.74:80 [AP]\nGET \/ HTTP\/1.1..User-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; X11; Linux i\n686) Opera 7.21 [en]..Host: www.darkridge.com..Accept: text\/html, applicat\nion\/xml;q=0.9, application\/xhtml+xml;q=0.9, image\/png, image\/jpeg, image\/gi\nf, image\/x-xbitmap, *\/*;q=0.1..Accept-Charset: iso-8859-1, utf-8, utf-16, *\n;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0..Cookie: SQ\nMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e..Cookie2: $Version=1..Connection:\nKeep-Alive, TE..TE: deflate, gzip, chunked, identity, trailers....\n##<\/pre>\n\n\n\n
-W<\/code> byline mode.<\/p>\n\n\n\n$ sudo ngrep -W byline port 80<\/strong>\ninterface: eth0 (64.90.164.72\/255.255.255.252)\nfilter: ip and ( port 80 )\n####\nT 67.169.59.38:42177 -> 64.90.164.74:80 [AP]\nGET \/ HTTP\/1.1.\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera ...\nHost: www.darkridge.com.\nAccept: text\/html, application\/xml;q=0.9, application\/xhtml+xml;q=0.9 ...\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1.\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0.\nCookie: SQMSESSID=5272f9ae21c07eca4dfd75f9a3cda22e.\nCookie2: $Version=1.\nCache-Control: no-cache.\nConnection: Keep-Alive, TE.\nTE: deflate, gzip, chunked, identity, trailers.<\/pre>\n\n\n\n
$ sudo ngrep -t -W byline port 80<\/strong>\ninterface: enp0s3 (192.168.0.0\/255.255.255.0)\nfilter: ( port 80 ) and ((ip || ip6) || (vlan && (ip || ip6)))\n####\nT 2018\/07\/12 16:33:19.348084 192.168.0.104:43048 -> 172.217.160.174:80 [AP]\nGET \/ HTTP\/1.1.\nHost: google.com.\nUser-Agent: Links (2.13; Linux 4.17.6-1.el7.elrepo.x86_64 x86_64; GNU C 4.8.5; text).\nAccept: *\/*.\nAccept-Language: en,*;q=0.1.\nAccept-Encoding: gzip, deflate, bzip2.\nAccept-Charset: us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,utf-8.\nConnection: keep-alive.<\/pre>\n\n\n\n
-p<\/code> flag.<\/p>\n\n\n\n$ sudo ngrep -p -W byline port 80<\/pre>\n\n\n\n
-N<\/code> which is useful in case you are observing raw or unknown protocols. It tells ngrep<\/strong> to display the sub-protocol number along with single-character identifier.<\/p>\n\n\n\n$ sudo ngrep -N -W byline<\/pre>\n\n\n\n
$ man ngrep<\/pre>\n\n\n\n