Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Ngrep is a tool that provides GNU grep's features applying them to the network layer.
Ngrep recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces.
Example 1: dump all common HTTP requests on a live network (eth0):
- ngrep -qd eth0 '^(GET|POST|HEAD|CONNECT)' 'tcp'
Example 2: the same, but from a network dump (out.pcap):
- ngrep -qI out.pcap '^(GET|POST|HEAD|CONNECT)' 'tcp'
Ngrep cannot reconstruct data streams, it has no ability to match a string that is broken across two or more packets.