
Program: ngrep 
Author: Jordan Ritter <jpr5@darkridge.com>
Version: 1.37 (1.31.00)


Goal: 

  A program that mimicks as much functionality in GNU grep as
  possible, applied at the network layer.


Description:

  ngrep strives to provide most of GNU grep's common features,
  applying them to the network layer.  ngrep is a pcap-aware tool that
  will allow you to specify extended regular expressions to match
  against data payloads of packets.  It currently recognizes TCP, UDP
  and ICMP across Ethernet, PPP, SLIP and null interfaces, and
  understands bpf filter logic in the same fashion as more common
  packet sniffing tools, such as tcpdump and snoop.

  
Usage:

  ngrep <-hViwqevxl> <-n num> <-d dev> <-A num> <regex> <pcap filter logic>

  -h  is help/usage
  -V  is version information
  -i  is ignore case
  -w  is word-regex (expression must match as a word)
  -q  is be quiet
  -e  is show empty packets
  -v  is invert match
  -x  is print in alternate hexdump format
  -l  is make stdout line buffered
  -n  is look at only num packets
  -d  is use a device different from the default (pcap)
  -A  is dump num packets after a match

  <regex>   is any extended regular expression (metachars are
            significant and don't have to be escaped)
  <filter>  is any pcap filter statement 


  As of v1.28, ngrep doesn't require a regex.  There are cases where
  it will be confused and think part of your bpf filter is the regex,
  as in:

  % ngrep not port 80
  interface: eth0 (192.168.1.0/255.255.255.0)
  filter: ip and ( port 80 )
  match: not

  In cases like this, you will need to specify a blank regex:

  % ngrep '' not port 80
  interface: eth0 (192.168.1.0/255.255.255.0)
  filter: ip and ( not port 80 )


Examples:

  o ngrep  -qd eth1  'HTTP'  tcp port 80

    Be quiet, look only at tcp packets with either source or dest port
    80 on interface eth1, look for anything matching 'HTTP'. 

  o ngrep  -qd le0 port 53

    Watch all tcp and udp port 53 (nameserver) traffic on interface
    le0.  Be quiet.

  o ngrep  'USER|PASS'  tcp port 21

    Look only at tcp packets with either source or dest port 21, look
    for anything resembling an FTP login.

  o ngrep  -wi  'user|pass'  tcp port 21
  
    Look at tcp packets with either source or dest port 21, that match
    either 'user' or 'pass' (case insensitively) as a word. 

  o ngrep -wiA 2  'user|pass'  tcp port 21
  
    Alternatively, match either 'user' or 'pass' case insensitively,
    and dump the next 2 packets following (that match the bpf filter).


Tips:

  o When the intention is to match all packets (i.e. blank regex), it
    is technically faster if you use an empty regex, '', than if you
    had used '.*' or '*'.

  o Always try to craft a BPF filter; this is doubly important on
    interfaces that are very busy and are seeing large amounts of
    packets.  The parser takes a certain amount of time, and while
    negligible on a slow interface, it can add up very quickly on a
    busy one.


Known Working Platforms:

  o Linux 2.0.x, Linux 2.2.x (RH6+, SuSE, TurboLinux)/x86, alpha
  o Solaris 2.5.1, 2.6/SPARC, Solaris 7/x86
  o FreeBSD 2.2.5, 3.1, 3.2, 4.0
  o OpenBSD 2.4 (after upgrading pcap from 0.2)
  o Digital Unix V4.0D (OSF/1)


Thanks:

  o dugsong@monkey.org - for submitting compilation patches
  o Andrew W. Flury <aflury@nas.nasa.gov> - for submitting the hexdump
    patch 
  o Dave Dittrich <dittrich@cac.washington.edu> - for the use of his
    OSF/1 box
