File: README

package info (click to toggle)
ngrep 1.35-1
  • links: PTS
  • area: main
  • in suites: potato
  • size: 388 kB
  • ctags: 388
  • sloc: ansic: 3,494; sh: 1,760; makefile: 67
file content (103 lines) | stat: -rw-r--r-- 2,834 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 

Program: ngrep 
Author: Jordan Ritter <jpr5@darkridge.com>
Version: 1.35 (10.13.99)


Goal: 

  A program that mimicks as much functionality in GNU grep as
  possible, applied at the network layer.


Description:

  ngrep strives to provide most of GNU grep's common features,
  applying them to the network layer.  ngrep is a pcap-aware tool that
  will allow you to specify extended regular expressions to match
  against data payloads of packets.  It currently recognizes TCP, UDP
  and ICMP across Ethernet, PPP, SLIP and null interfaces, and
  understands bpf filter logic in the same fashion as more common
  packet sniffing tools, such as tcpdump and snoop.

  
Usage:

  ngrep <-hvViwqex> <-n num> <-d dev> <-A num> <regex> <pcap filter logic>

  -h  is help/usage
  -v  is invert match
  -V  is version information
  -i  is ignore case
  -w  is word-regex (expression must match as a word)
  -q  is be quiet
  -e  is show empty packets
  -x  is print in alternate hexdump format
  -n  is look at only num packets
  -d  is use a device different from the default (pcap)
  -A  is dump num packets after a match

  <regex>   is any extended regular expression (metachars are
            significant and don't have to be escaped)
  <filter>  is any pcap filter statement 


  As of v1.28, ngrep doesn't require a regex.  There are cases where
  it will be confused and think part of your bpf filter is the regex,
  as in:

  % ngrep not port 80
  interface: eth0 (192.168.1.0/255.255.255.0)
  filter: ip and ( port 80 )
  match: not

  In cases like this, you will need to specify a blank regex:

  % ngrep '' not port 80
  interface: eth0 (192.168.1.0/255.255.255.0)
  filter: ip and ( not port 80 )


Examples:

  o ngrep  -qd eth1  'HTTP'  tcp port 80

    Be quiet, look only at tcp packets with either source or dest port
    80 on interface eth1, look for anything matching 'HTTP'. 

  o ngrep  -qd le0 port 53

    Watch all tcp and udp port 53 (nameserver) traffic on interface
    le0.  Be quiet.

  o ngrep  'USER|PASS'  tcp port 21

    Look only at tcp packets with either source or dest port 21, look
    for anything resembling an FTP login.

  o ngrep  -wi  'user|pass'  tcp port 21
  
    Look at tcp packets with either source or dest port 21, that match
    either 'user' or 'pass' (case insensitively) as a word. 

  o ngrep -wiA 2  'user|pass'  tcp port 21
  
    Alternatively, match either 'user' or 'pass' case insensitively,
    and dump the next 2 packets following (that match the bpf filter).


Known Working Platforms:

  o Linux 2.0.x, Linux 2.2.x
  o Solaris 2.5.1, 2.6  
  o FreeBSD 2.2.5, 3.1
  o OpenBSD 2.4 (after upgrading pcap from 0.2)


Thanks:

  o dugsong@monkey.org - for submitting compilation patches
  o Andrew W. Flury <aflury@nas.nasa.gov> - for submitting the hexdump
    patch