A Look at ngrep

Ron McCarty

Network troubleshooting often requires the use of a sniffer, and many network administrators automatically reach for tcpdump (http://www.tcpdump.org/), which is useful across many platforms. With the increasing number of protocols supported on IP, administrators often need to look further into the payload of packets to ensure that applications or users are providing information expected by the receiving IP stack.

ngrep is a sniffer than can be used like tcpdump, and it provides the additional capability of "grepping" the packet's payload for particular matches. The regular express support of ngrep tries to support resembles the GNU version of grep, which gives many advanced feature such as printing lines after the matched expression.

ngrep is available at:

http://ngrep.sourceforge.net/

and requires libpcap, which is available at the tcpdump Web site:

http://www.tcpdump.org/

libpcap is already on systems that have tcpdump installed. Installation of ngrep is straightforward -- typically a configure, make, and make install will have it up and running. Because it uses libpcap, a wide range of interfaces and operating systems are supported.

ngrep, like tcpdump, can be used to print packets matching a particular protocol. For example, you can use the following to print all UDP packets:

ngrep '' udp

or ICMP packets with:

ngrep '' icmp

Specific ports can be used.