Monitor network traffic with ngrep

June 10, 2005

When it comes to network monitoring, there are a number of available tools out there. However, one tool that administrators often overlook is the network grep (ngrep) tool.

As a network sniffer or monitor, ngrep is very similar in some respects to tcpdump, but it's somewhat different because you can use grep-style syntax to filter what you want.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

Ngrep's most basic use is to listen to all traffic on an interface. However, you can extend this quite a bit to narrow down what you're looking for. Ngrep's syntax is similar to that of tcpdump. Here's an example:

$ ngrep port 80 and src host 192.168.5.10 and dst host 192.168.5.100

This monitors all traffic on port 80 from the host 192.168.5.10 to the host 192.168.5.100.

If you're interested in watching Telnet traffic, you can do so using ngrep. You can make it only return traffic that shows a login string by using grep-style syntax. Here's an example:

$ ngrep -q -t -wi "login" port 23

This tells ngrep to look for the string "login" as a word (without case sensitivity) on port 23 for any connection. In this case, ngrep operates in quiet mode so it only prints out matches. In addition, it timestamps them (as designated by the -t option).

Used in conjunction with tcpdump, ngrep can also be very valuable for searching standard pcap dump files to look for patterns. If you have a large dump file from tcpdump, you can use ngrep to examine it by using standard ngrep commands and issuing it an input file with the -I parameter. Here's an example:

$ ngrep -wi "login" port 23 -I /tmp/packet.dump

Copyright ©1995- 2003 CNET Networks, Inc. All Rights Reserved.
Visit us at www.TechRepublic.com