DRAFT

This page is still a draft. Thank you for your understanding.

Description

Installation

# apt-get install ngrep

Usage

Syntax

ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
      <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
      <-P char> <-F file> <match expression> <bpf filter>

Options

  -h  is help/usage
  -V  is version information
  -q  is be quiet (don't print packet reception hash marks)
  -e  is show empty packets
  -i  is ignore case
  -v  is invert match
  -R  is don't do privilege revocation logic
  -x  is print in alternate hexdump format
  -X  is interpret match expression as hexadecimal
  -w  is word-regex (expression must match as a word)
  -p  is don't go into promiscuous mode
  -l  is make stdout line buffered
  -D  is replay pcap_dumps with their recorded time intervals
  -t  is print timestamp every time a packet is matched
  -T  is print delta timestamp every time a packet is matched
  -M  is don't do multi-line match (do single-line match instead)
  -I  is read packet stream from pcap format file pcap_dump
  -O  is dump matched packets in pcap format to pcap_dump
  -n  is look at only num packets
  -A  is dump num packets after a match
  -s  is set the bpf caplen
  -S  is set the limitlen on matched packets
  -W  is set the dump format (normal, byline, single, none)
  -c  is force the column width to the specified size
  -P  is set the non-printable display char to what is specified
  -F  is read the bpf filter from the specified file
  -N  is show sub protocol number
  -d  is use specified device instead of the pcap default
  -K  is kill matching TCP connections

Some filters

$ ngrep -I input.pcap -O output.gif.pcap 'GIF8(7a|9a)?' 
$ ngrep -I input.pcap -O output.jpeg.pcap -xX '0xFFD8FF' 
$ ngrep -I input.pcap -O output.pdf.pcap -xX '0x25504446' 
$ ngrep -I input.pcap -O output.exe.pcap -xX '0x4D5A' 
$ ngrep -I input.pcap -O output.torrent.pcap -xX '0x6674797033677034' 

Examples