ngrep is a "network grep" utility that can be used to match regular expressions within network packet payloads. This is a very handy utility as many network analyzers ("packet sniffers") can examine the packet header, but either do not display or cannot filter based on packet payload.
Most of the usage examples were obtained from the May 2001 Sys Admin magazine article featuring ngrep.
ngrep is available from http://ngrep.sourceforge.net/.
The UNIX version requires libpcap,
installed as part of tcpdump (http://www.tcpdump.org/). The
Windows version requires WinPcap.
Usage examples:
ngrep '' udp (print all UDP
packets)
ngrep '' icmp (print all ICMP
packets)
ngrep '' port 53 (print TCP or
UDP port 53 packets)
ngrep '' tcp port 23 (print
TCP port 23 packets)
ngrep 'LILWORD' port 138
(print Microsoft browsing traffic for
NT domain LILWORLD)
ngrep -iq 'rcpt to|mail from' tcp
port 25 (monitor current delivery
and print sender and recipients)
ngrep 'user' port 110 (monitor
POP3)
ngrep -q 'abcd' icmp
(Microsoft operating systems fill the ICMP
payload with the alphabet; is the "pinging" host running a Microsoft
operating system?)
ngrep -iq 'user-agent' tcp port 80
(determine client application
that client host is running)
ngrep '220' port 21 (determine
version of FTP server)
ngrep 'SSH' port 22
(investigate Secure Shell)
ngrep -v '' port 23 (see all
traffic but telnet)
ngrep -d le0 '' (listen to le0)
Useful flags:
-A n
(prints out "n" packets after the match)
-l (pipe the output of ngrep to another program for more
processing)
-v (print all lines not
matching the expression)
-d (specify the device you
want to monitor)
If you are using the Windows version, substitute double quotes for
single quotes in the usage examples above.
Links:
WinPcap
Brings Unix Network Tools to Windows