Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
PHP Web Host - Quality Web Hosting For All PHP Applications

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 78 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here




       ngrep  <-hXViwqpevxlDtT>  <-IO pcap_dump > < -n num > < -d
       dev > < -A num > < -s snaplen > < match expression > < bpf
       filter >


       ngrep  strives  to  provide most of GNU grep's common fea­
       tures, applying them to the network  layer.   ngrep  is  a
       pcap-aware  tool  that  will allow you to specify extended
       regular expressions to  match  against  data  payloads  of
       packets.  It currently recognizes TCP, UDP and ICMP across
       Ethernet, PPP, SLIP, FDDI and null interfaces, and  under­
       stands bpf filter logic in the same fashion as more common
       packet sniffing tools, such as tcpdump(8) and snoop(1).


       -h     Display help/usage information.

       -X     Treat the match expression as a hexadecimal string.
              See the explanation of match expression below.

       -V     Display version information.

       -i     Ignore case for the regex expression.

       -w     Match the regex expression as a word.

       -q     Be  quiet;  don't output any information other than
              packet headers and their payloads (if relevant).

       -p     Don't put the interface into promiscuous mode.

       -e     Show empty packets.   Normally  empty  packets  are
              discarded  because  they have no payload to search.
              If specified, empty packets will be shown,  regard­
              less of the specified regex expression.

       -v     Invert  the  match; only display packets that don't
              HH:MM:SS.UUUUUU everytime a packet is matched.

       -T     Print  a  timestamp in the form of +S.UUUUUU, indi­
              cating the delta between packet matches.

       -s snaplen
              Set the bpf caplen to snaplen (default 65536).

       -I pcap_dump
              Input file pcap_dump into ngrep.   Works  with  any
              pcap-compatible  dump  file format.  This option is
              useful for searching for a wide range of  different
              patterns over the same packet stream.

       -O pcap_dump
              Output  matched  packets  to a pcap-compatible dump
              file.  This feature does not interfere with  normal
              output to stdout.

       -n num Match only num packets total, then exit.

       -d dev By default ngrep will select a default interface to
              listen on.  Use this option to force ngrep to  lis­
              ten on interface dev.

       -A num Dump num packets of trailing context after matching
              a packet.

        match expression
              A match expression is either  an  extended  regular
              expression,  or  if  the  -X option is specified, a
              string signifying a hexadecimal value.  An extended
              regular expression follows the rules as implemented
              by the GNU regex library.  Hexadecimal  expressions
              can  optionally  be preceded by `0x'.  E.g., `DEAD­
              BEEF', `0xDEADBEEF'.

        bpf filter
              Selects a filter that specifies what  packets  will
              be dumped.  If no bpf filter is given, all IP pack­
              ets seen on the selected interface will be  dumped.
              Otherwise,  only  packets  for  which bpf filter is
              `true' will be dumped.
              `dst  net  1.2.3',  `src or dst port ftp-data'.  If
              there is no dir qualifier, src or dst  is  assumed.
              For  `null' link layers (i.e. point to point proto­
              cols such as slip) the inbound and outbound  quali­
              fiers can be used to specify a desired direction.

       proto  qualifiers  are  restricted  to  ip-only protocols.
              Possible protos are: tcp ,  udp  and  icmp.   e.g.,
              `udp  src  foo'  or  `tcp port 21'.  If there is no
              proto qualifier, all protocols consistent with  the
              type  are  assumed.   E.g., `src foo' means `ip and
              ((tcp or udp) src foo)', `net bar'  means  `ip  and
              (net  bar)',  and  `port 53' means `ip and ((tcp or
              udp) port 53)'.

       In addition to the above, there are some  special  `primi­
       tive'  keywords  that  don't  follow the pattern: gateway,
       broadcast, less, greater and arithmetic expressions.   All
       of these are described below.

       More  complex filter expressions are built up by using the
       words and, or and not to combine primitives.  E.g.,  `host
       blort  and  not  port ftp and not port ftp-data'.  To save
       typing, identical qualifier lists can be  omitted.   E.g.,
       `tcp  dst  port  ftp or ftp-data or domain' is exactly the
       same as `tcp dst port ftp or tcp dst port ftp-data or  tcp
       dst port domain'.

       Allowable primitives are:

       dst host host
              True  if  the IP destination field of the packet is
              host, which may be either an address or a name.

       src host host
              True if the IP source field of the packet is  host.

       host host
              True  if either the IP source or destination of the
              packet is host.  Any of the above host  expressions
              can  be  prepended  with  the keywords, ip, arp, or
              rarp as in:
                   ip host host
              which is equivalent to:

       ether dst ehost
              True if the ethernet destination address is  ehost.
              but  neither  the  IP source nor the IP destination
              was host.  Host must be a name and must be found in
              both  /etc/hosts  and  /etc/ethers.  (An equivalent
              expression is
                   ether host ehost and not host host
              which can be used with either names or numbers  for
              host / ehost.)

       dst net net
              True  if  the  IP destination address of the packet
              has a network number of net. Net may  be  either  a
              name  from  /etc/networks  or a network number (see
              networks(4) for details).

       src net net
              True if the IP source address of the packet  has  a
              network number of net.

       net net
              True if either the IP source or destination address
              of the packet has a network number of net.

       net net mask mask
              True if the IP address matches net  with  the  spe­
              cific netmask.  May be qualified with src or dst.

       net net/len
              True  if  the  IP address matches net a netmask len
              bits wide.  May be qualified with src or dst.

       dst port port
              True if the packet is ip/tcp or ip/udp  and  has  a
              destination  port value of port.  The port can be a
              number or a name used in /etc/services (see tcp(4P)
              and  udp(4P)).   If  a  name is used, both the port
              number and protocol are checked.  If  a  number  or
              ambiguous  name  is  used,  only the port number is
              checked  (e.g.,  dst  port  513  will  print   both
              tcp/login  traffic  and  udp/who  traffic, and port
              domain will print both  tcp/domain  and  udp/domain

       src port port
              True if the packet has a source port value of port.

                   len <= length.

       greater length
              True  if  the  packet  has a length greater than or
              equal to length.  This is equivalent to:
                   len >= length.

       ip proto protocol
              True if the packet is an ip packet (see ip(4P))  of
              protocol  type  protocol.  Protocol can be a number
              or one of the names tcp, udp or  icmp.   Note  that
              the  identifiers  tcp and udp are also keywords and
              must be escaped via backslash (\), which is  \\  in
              the C-shell.

       ip broadcast
              True  if  the packet is an IP broadcast packet.  It
              checks for both the all-zeroes and all-ones  broad­
              cast  conventions,  and  looks  up the local subnet

       ip multicast
              True if the packet is an IP multicast packet.

       ip     Abbreviation for:
                   ether proto ip

       tcp, udp, icmp
              Abbreviations for:
                   ip proto p
              where p is one of the above protocols.

       expr relop expr
              True if the relation holds, where relop is  one  of
              >,  <,  >=,  <=,  =,  !=, and expr is an arithmetic
              expression composed of integer constants (expressed
              in  standard C syntax), the normal binary operators
              [+, -, *, /, &, |], a length operator, and  special
              packet  data  accessors.  To access data inside the
              packet, use the following syntax:
                   proto [ expr : size ]
              Proto is one of ip, tcp, udp or icmp, and indicates
              the  protocol  layer  for the index operation.  The
              byte offset, relative  to  the  indicated  protocol
              layer,  is  given  by  expr.   Size is optional and
              indicates the number  of  bytes  in  the  field  of
              interest;  it  can be either one, two, or four, and

              A  parenthesized  group of primitives and operators
              (parentheses are special to the Shell and  must  be

              Negation (`!' or `not').

              Concatenation (`&&' or `and').

              Alternation (`||' or `or').

       Negation has highest precedence.  Alternation and concate­
       nation have equal precedence and associate left to  right.
       Note  that explicit and tokens, not juxtaposition, are now
       required for concatenation.

       If an identifier is given  without  a  keyword,  the  most
       recent keyword is assumed.  For example,
            not host vs and ace
       is short for
            not host vs and host ace
       which should not be confused with
            not ( host vs or ace )

       Expression  arguments  can  be passed to ngrep as either a
       single argument or as  multiple  arguments,  whichever  is
       more  convenient.   Generally,  if the expression contains
       Shell metacharacters, it is easier to pass it as a single,
       quoted argument.  Multiple arguments are concatenated with
       spaces before being parsed.


       Errors from ngrep, libpcap, and the GNU regex library  are
       all output to stderr.


       Written by Jordan Ritter <jpr5@darkridge.com>.


       Send bug reports to the author.



Help us cut cost by not downloading the whole site!
Use of automated download sofware ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and therefore is expressedly prohibited. For more details on this, take a look here



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
The Linux Tutorial can use your help.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.10 Seconds