Touch The Technology

Cyber Security

Network Analysis: Using ngrep

What is Ngrep?

We might want to analyze our network for many reasons. This may be during or after an attack or maybe just out of curiosity. Cause of this, there are tools to use, to make our job easier. Ngrep is the network version of the normal grep we know. It’s used to track and analyze the network traffic of HTTP, SMTP, FTP and more.


 apt install ngrep


 ngrep -d any port 80

It will show all of the traffic on 80.port, we specified the network card with -d (eth0, wlan0 etc.)

I know this output looks quite confusing, so we should add another parameter to make it easier to read.

 ngrep -d any -W Byline port 80

To see all the SMTP traffic:

 ngrep -d any port 25

Nngrep, supports the BPF filtering logic so you can do the filtering of host, network, port, destination, source with variables like “and” “or” “not”

 ngrep -d wlan0 port 1234 or 4321 and host

We’re seeing the packets that have 1234 or 4321 as their target or source port or IP. Let’s try it with a specific source IP and target this time.

 ngrep -d wlan0 port 4444 and src and dst

We’re seeing the packets that go from to from port 4444. Now let’s look at the packets that have as their source but don’t have as their target.

ngrep -d wlan0 port 54321 and src and dst not

Recording the Traffic

ngrep -O /root/http.dump -d any port http

As you can see, I wrote http on the port section. You can enter the port as a service instead of a number.

Sample Output:

You can open the previously saved file with the command below.

 ngrep -I file_name




Your email address will not be published. Required fields are marked *

Melisa Ayşe Demirel | Author - Translator