| Set the upper limit on the size of packets that ngrep will look at. Useful for looking at only the first N bytes of packets without changing the BPF snaplen. |
| Support for the IEEE 802.11 Wireless link type was added. |
| ngrep now recognizes the flags associated with TCP ECN Congestion Notification (``C'' and ``E''). |
|
After a few informative discussions about ngrep's license with
various people over the last year, I've decided to relax what were
deemed overly restrictive terms of the license.
NOTE: ngrep itself is free (as in beer) open-source software. Ngrep can link against the (superior in terms of speed) GNU regex library, which will trigger copyleft restrictions and make the entire resulting binary GPL, or it can link against the Perl Compatible Regular Expression library (PCRE), which is free (as in beer) software and which does not impact the licensing terms of ngrep itself. |
| Previous version assumped LOOP and SLL types were defined and available, but older versions of libpcap were missing them. The configure script was updated to autodetect them, as well as to detect and support the IEEE 802.11 link type. |
| On UNIX, ngrep now revokes its own privileges to a safe user (``nobody'' by default). The username can be overridden with the ``--safe-user'' configure option. |
| Added a few headers that enable compiling on more platforms. |
| Version 1.40 of ngrep-win32 was compiled with an older winpcap release, which led to a large number of people experiencing problems using ngrep-win32 over the last year or two. Simply recompiling it with the latest winpcap appears to have eliminated the problems (adaptor not found: no error, etc) altogether. |
ngrep <-hXViwqpevxlDtT> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <match expression>
<bpf filter>
-h is help/usage
-X is interpret match expression as hexadecimal
-V is version information
-i is ignore case
-w is word-regex (expression must match as a word)
-q is be quiet
-p is don't go into promiscuous mode
-e is show empty packets
-v is invert match
-x is print in alternate hexdump format
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
-s is set the bpf caplen
-S is set the limitlen on matched packets
-O is dump matched packets in pcap format to pcap_dump
-I is read packet stream from pcap format file pcap_dump
-n is look at only num packets
-d is use a device different from the default (pcap)
-A is dump num packets after a match
<match expression> is either an extended regular expression or a
hexadecimal string. see the man page for more
information.
<bpf filter> is any bpf filter statement.
ngrep -qd eth1 'www' tcp port 80Be quiet, look only at tcp packets with either source or dest port 80 on interface eth1, look for anything matching 'www'.
ngrep -qd le0 in-addr port 53Look at all packets with either source or dest port 53 on interface le0, that match match 'in-addr'. Be quiet.
ngrep 'USER|PASS' tcp port 21Look only at tcp packets with either source or dest port 21, look for anything resembling an FTP login.
ngrep -wi 'user|pass' tcp port 21Look at tcp packets with either source or dest port 21, that match either 'user' or 'pass' (case insensitively) as a word.
ngrep -wiA 2 'user|pass' tcp port 21Alternatively, match either 'user' or 'pass' case insensitively, and dump the next 2 packets following (that match the bpf filter).
| Unix | |
|---|---|
| Source | Binary |
| ngrep-1.41.tar.bz2 (?k) | ngrep-1.41-linux-elf-static.bz2 (?k) |
| ngrep manpage (?k) | ngrep-1.41-1.i386.rpm (?k) |
| Windows | |
|---|---|
| Source | Binary |
|
ngrep-1.41-win32-full.zip (?k)
(M$ Visual C++ project + binary) |
ngrep-1.41-win32-bin.zip (?k)
(Win32 binary only) |
Please email the author a small note if you successfully compile ngrep on any platform not listed below.