ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
ngrep has traditionally been used to debug plaintext protocol interactions such as HTTP, SMTP, FTP, etc., to identify and analyze anomalous network communications such as those between worms, viruses and/or zombies, and to store, read and reprocess pcap dump files while looking for specific data patterns. On the other hand, it can be used to do the more mundane plaintext credential collection as with HTTP Basic Authentication, FTP or POP3 authentication, and so forth. Like all useful tools, it can be used for good and bad.
Visit the Usage Section and learn more about how ngrep works and can be leveraged to see all sorts of neat things.
Please visit the Download Section to check if your platform is supported and to download source or precompiled binaries.
Please note that ngrep relies upon the pcap library, which can be downloaded from tcpdump.org for the UNIX version and winpcap.org for the Win32 version. See the INSTALL.txt documentation contained inside the Source Package for more detailed installation instructions.
To report bugs please use the Bug Tracker. To submit a feature request please use the RFE Tracker. Finally, to submit any patches please use the Patch Manager. For all other feedback items, please email the author directly.