Monitor network traffic with ngrep

Linux admins should check out the ngrep tool for monitoring network traffic. Here is an overview of this utility.

When it comes to network monitoring, there are a number of available tools out there. However, one tool that administrators often overlook is the network grep (ngrep) tool.

As a network sniffer or monitor, ngrep is very similar in some respects to tcpdump, but it's somewhat different because you can use grep-style syntax to filter what you want.

Ngrep's most basic use is to listen to all traffic on an interface. However, you can extend this quite a bit to narrow down what you're looking for. Ngrep's syntax is similar to that of tcpdump. Here's an example:

$ ngrep port 80 and src host and dst host

This monitors all traffic on port 80 from the host to the host

If you're interested in watching Telnet traffic, you can do so using ngrep. You can make it only return traffic that shows a login string by using grep-style syntax. Here's an example:

$ ngrep -q -t -wi "login" port 23

This tells ngrep to look for the string "login" as a word (without case sensitivity) on port 23 for any connection. In this case, ngrep operates in quiet mode so it only prints out matches. In addition, it timestamps them (as designated by the -t option).

Used in conjunction with tcpdump, ngrep can also be very valuable for searching standard pcap dump files to look for patterns. If you have a large dump file from tcpdump, you can use ngrep to examine it by using standard ngrep commands and issuing it an input file with the -I parameter. Here's an example:

$ ngrep -wi "login" port 23 -I /tmp/packet.dump

Vincent Danen, a native Canadian in Edmonton, Alberta, has been using Linux for nearly two years. Vincent obtained his Linux Administrator certification from, and he hopes to tackle the RHCE when it is offered in Canada.