How to Use NGREP Command in Linux

Want to learn how to use NGREP command in Linux?

Searching and analyzing internet traffic is an important job of a network engineer. Considering that the main objective of network providers is user satisfaction, these engineers keep check of paramount variables. 

Analyzing network traffic allows them to identify bottlenecks that are possibly slowing the network down, protect the system from malware and cyber attacks, track network usage history, keep the network working smoothly, etc.

There are different commands that we can use to analyze traffic on our computers as well. For example, tcpdump and ngrep are two common commands that are utilized in network analysis. Both of these commands work regardless of the operating system. So, if you have a computer, you can do what thousands of network engineers are doing daily.

Keep in mind, not everyone can understand network traffic as it is expressed and represented in different ways and patterns. However, if you think you are capable of doing it, this article is the place to be if you want to learn how to use ngrep command in Linux. There are different ways to use ngrep and we will guide you through them.

So buckle up for an interesting ride!

Ngrep Command.

Firstly, we will be introducing ngrep to you. Ngrep command or Network grep command searches network traffic for a Regular Expression (regex) pattern or a string. This means that the network traffic is filtered for only the pattern or string we want to see in the output.

Ngrep uses the pcap library for capturing network packets, and the GNU regex library to search for regex patterns in the captured packets. If you understand how network analysis works and the commands familiar with it, then you can say that ngrep is a combination of the tcpdump and the grep command. 

How to Install Ngrep Command on Linux.

The ngrep command is executed similarly to every command on Linux, i.e., on the Command Terminal. As you know, the Command Terminal is available on all Linux distros, so ngrep can be used to search network traffic regardless of your distribution. 

The ngrep command is not built-in. However, the command is available as a repository on all of the mainstream Linux Distros. So, to make use of ngrep, we have to first install it. 

To install ngrep command, follow these steps:

1. Open the Command Terminal.
2. Once opened, type the following command:

$ sudo apt install ngrep

3. The installation process should begin, and you can track the progress as well.

With this, you have installed ngrep on your Linux. Next, we will learn how to use ngrep command in Linux.

How to Use Ngrep Command in Linux.

Now that ngrep is installed, we will explain the different ways you can use it. As stated before, ngrep is used to filter network traffic for the patterns you want to see. So, you can use it in various ways for various strings and patterns. 

The general syntax for ngrep command is:

$ ngrep ‘expression’

For example, to capture all network packets using ngrep, follow these steps:

1. Open the Command Terminal.
2. Once open, type the following command to view all network packets on your screen:

$ sudo ngrep

You should see an output like this on your screen:

This was a simple command that you used to capture every network packet using ngrep. For specific outputs, the command that we will use would not be complex as well.

How to Use Ngrep Command in Linux for Specific Regex.

You already know the syntax. To capture specific regexes and strings, we just need to mention them along with ngrep. For example, if you want to look for ‘icmp’ and other types of traffic, follow these steps: 

1. Open the Terminal.
2. Once open, type the following command:

$ sudo ngrep -q ‘.’ ‘icmp’

The ‘-q‘ in the syntax tells the command to filter out and produce the output quietly. Through this, we will see output containing only packet headers and payloads. 

3. Similarly, you can use ngrep to find hexadecimal combinations as well.

$ sudo ngrep -x hexadecimal expression

In this, the ‘-x‘ is an imperative instructing the command that the output will be in hexadecimal form only. 

4. We can also use ngrep to find traffic going to a host site, such as facebook.com, google.com, yahoo.com, etc.

$ sudo ngrep -q ‘.’ ‘host google.com’

5. You can also see all the network traffic going through a specific port. For example, to capture all the traffic going through SMTP port 25.

$ sudo ngrep port 25

6. Similarly, for port 80.

$ sudo ngrep port 80

7. There is also the option of getting a timestamp for the exact time the respective packet was captured. We can do this using the ‘-t‘ operator.

$ sudo -t port 80

8. To see other relevant information regarding the ngrep command and its manual, use the following command:

$ man ngrep 

These are the different ways you can use the ngrep command for network analysis. However, these examples don’t encompass everything that can be done using the ngrep command. There are other patterns, strings that can be captured, and other operators that you can use to your benefit. 

For example, the ‘-e‘ operator can be used to display empty network packets. Usually, these packets can not be seen because they are empty, but if you use this operator, you can see the empty data packets on your network. 

Another example is the ‘-v‘ operator. This displays network packets that don’t match your regex query mentioned with ngrep. Then, you can use the ‘-p‘ operator, which instructs you not to go into promiscuous mode.

This was a guide where we attempted to instruct you how to use ngrep command in Linux. We hope that you understood the purpose behind the ngrep command and the different ways we can use this command to perform network searches and analyses.

Talking of networks, if you want to set up network bonding on your Ubuntu, this article will guide you perfectly.

If you liked this guide, please share it.  🙂