ngrep - network grep

Jordan Ritter <>

1.45 (11/18/06)


ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

What's New:
  1. fixed bug bug where setting the snaplen smaller than the minimum necessary to read full headers would cause garbage to be fed into the pattern matcher

  2. fixed unreported bug in IPv6/TCP packet length calculation

  3. relocated the privilege-dropping routine to be invoked right before entering the packet processing loop, to prevent interference with necessary permissions to read or write dumpfiles/etc.

  4. fixed integer overflow with the snaplen that resulted from an implicit signed/unsigned conversion

  5. minor change to compensate for some broken compiler optimizers

  6. fixed double-free race condition during ngrep termination

  7. reworked packet length calculation in the main processing loop, improving performance and readability

  8. simplified regex build logic in configure and Makefile

  9. updated Win32 version to use config.h for preprocessor definitions instead of the Visual Studio project files, making manual tweaking and config of ngrep for Win32 consistent with *NIX and more obvious

  10. changed third-party Makefiles to properly clean up after themselves

  11. added support for radiotap (IEEE802_11_RADIO)

  12. changed ``-s 0'' invocation to mimic the equivalent of tcpdump

How to use ngrep:

ngrep has traditionally been used to debug plaintext protocol interactions such as HTTP, SMTP, FTP, etc., to identify and analyze anomalous network communications such as those between worms, viruses and/or zombies, and to store, read and reprocess pcap dump files while looking for specific data patterns. On the other hand, it can be used to do the more mundane plaintext credential collection as with HTTP Basic Authentication, FTP or POP3 authentication, and so forth. Like all useful tools, it can be used for good and bad.

Visit the Usage Section and learn more about how ngrep works and can be leveraged to see all sorts of neat things.

Getting ngrep:

Please visit the Download Section to check if your platform is supported and to download source or precompiled binaries.

Please note that ngrep relies upon the pcap library, which can be downloaded from for the UNIX version and for the Win32 version. See the INSTALL.txt documentation contained inside the Source Package for more detailed installation instructions.

Providing Feedback:

To report bugs please use the Bug Tracker. To submit a feature request please use the RFE Tracker. Finally, to submit any patches please use the Patch Manager. For all other feedback items, please email the author directly.