From ForensicsWiki
Revision as of 19:37, 4 August 2008 by .FUF (Talk | contribs) (New page: {{Infobox_Software | name = ngrep | maintainer = Jordan Ritter | os = {{Linux}} | genre = Network forensics | license = {{GPL}} | website = [ ngrep...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Maintainer: Jordan Ritter
OS: Linux
Genre: Network forensics
License: GPL

Ngrep is a tool that provides GNU grep's features applying them to the network layer.


Ngrep recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces.


Example 1: dump all common HTTP requests on a live network (eth0):

ngrep -qd eth0 '^(GET|POST|HEAD|CONNECT)' 'tcp'

Example 2: the same, but from a network dump (out.pcap):

ngrep -qI out.pcap '^(GET|POST|HEAD|CONNECT)' 'tcp'


Ngrep cannot reconstruct data streams, it has no ability to match a string that is broken across two or more packets.