What is Ngrep?
We might want to analyze our network for many reasons. This may be during or after an attack or maybe just out of curiosity. Cause of this, there are tools to use, to make our job easier. Ngrep is the network version of the normal grep we know. It’s used to track and analyze the network traffic of HTTP, SMTP, FTP and more.
It will show all of the traffic on 80.port, we specified the network card with -d (eth0, wlan0 etc.)
I know this output looks quite confusing, so we should add another parameter to make it easier to read.
To see all the SMTP traffic:
Nngrep, supports the BPF filtering logic so you can do the filtering of host, network, port, destination, source with variables like “and” “or” “not”
We’re seeing the 188.8.131.52. packets that have 1234 or 4321 as their target or source port or IP. Let’s try it with a specific source IP and target this time.
We’re seeing the packets that go from 192.168.1.212 to 192.168.1.54 from port 4444. Now let’s look at the packets that have 192.168.1.212 as their source but don’t have 192.168.1.54 as their target.
Recording the Traffic
As you can see, I wrote http on the port section. You can enter the port as a service instead of a number.
You can open the previously saved file with the command below.