ngrep - network grep

Jordan Ritter <>

1.43 (2/23/05)


ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP, ICMP, IGMP and Raw protocols across Ethernet, PPP, SLIP, FDDI, Token Ring, 802.11 and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

What's New:
  1. Healed the win32 code fork: ngrep now builds from the same source tree for all platforms including Windows

  2. Re-wrote the privilege revocation logic after problems were reported with the SPC version, and removed non-root drop_privs capability altogether

  3. Fix off-by-one bug which caused ngrep to exit 1 packet early when ``-A'' was invoked

  4. Fixed problematic configtest for old broken-redhat-glibc UDP header

  5. ngrep now sets a pcap filter "ip" by default, if one is not specified

  6. Header offset fix to 802.11 processing

  7. Support IGMP and Raw (unknown IP protocol) type packets

  8. Support for latest versions of libpcap (0.8.3) and winpcap (3.1 beta 4)

  9. Updated configure to autoconf 2.59, and config.guess and config.sub to latest versions

  10. Updated PCRE from 3.4 to 5.0

  11. Updated the various documentation

  12. And various minor changes and updates to improve ngrep

How to use ngrep:

ngrep has traditionally been used to debug plaintext protocol interactions such as HTTP, SMTP, FTP, etc., to identify and analyze anomalous network communications such as those between worms, viruses and/or zombies, and to store, read and reprocess pcap dump files while looking for specific data patterns. On the other hand, it can be used to do the more mundane plaintext credential collection as with HTTP Basic Authentication, FTP or POP3 authentication, and so forth. Like all useful tools, it can be used for good and bad.

Visit the Usage Section and learn more about how ngrep works and can be leveraged to see all sorts of neat things.

Getting ngrep:

Please visit the Download Section to check if your platform is supported and to download source or precompiled binaries.

Please note that ngrep relies upon the pcap library, which can be downloaded from for the UNIX version and for the Win32 version. See the INSTALL.txt documentation contained inside the Source Package for more detailed installation instructions.

Providing Feedback:

To report bugs please use the Bug Tracker. To submit a feature request please use the RFE Tracker. Finally, to submit any patches please use the Patch Manager. For all other feedback items, please email the author directly.