Touch The Technology

Cyber Security

Network Analysis: Ngrep

What is ngrep?

You may want to do network analysis for many reasons. This may be during or after an attack or just out of pure curiosity. That’s why there’s some tools to help you analyze your network easier. Ngrep is the network version of the grep tool. It’s used to track and analyze any kind of network traffic (like HTTP, SMTP, FTP etc.).


apt install ngrep


ngrep -d any port 80

Now the tool will print all traffic on port 80. By using “-d” we specified the network card. (eth0, wlan0 etc.)

This print is kind of messy, isn’t it? We can add another parameter to fix that!

ngrep -d any -W Byline port 80

To see all SMTP traffic:

ngrep -d any port 25
Text says “Hello kernelblog”

ngrep supports the BPF filtering logic so you can use “and” , “or” , “not” parameters and do filtering process with host, network, port, destination, source variables.

ngrep -d wlan0 port 1234 or 4321 and host
Text on port 1234 says “Hello from 1234th port”

We’re seeing packets that have their target or source port as 1234 or 4321 and packets that have their target or source IP as
Now let’s specify the target IP and port.

ngrep -d wlan0 port 4444 and src and dst

We’re seeing packets going to from on 4444. port.
Now let’s look at packets that have their source as but don’t have their target as

ngrep -d wlan0 port 54321 and src and dst not
Text says “I am here 🙂 “

Recording the Traffic

ngrep -0 /root/http.dump -d any port http

If you pay attention, I wrote http in the port section. You can search a port as a service and not only as a number.

Example Print:

You can open previously recorded traffic using the command below:

ngrep -I file_name

Good Luck!


Your email address will not be published. Required fields are marked *

Melisa Ayşe Demirel | Author - Translator