Constant monitoring and troubleshooting are key to maintaining a network's availability. With ngrep, you can analyze network traffic in a manner similar to that of other network sniffers. However, unlike its brethern, ngrep can match regular expressions within the network packet payloads. By using its advanced string matching capabilities, ngrep can look for packets on specified ports and assist in tracking the usernames and passwords zipping off the network, as well as all Telnet attempts to the server.

Ngrep uses the libpcap library, and can also take hexadecimal expressions for which to capture network traffic. It supports TCP, UDP, ICMP, IGMP, and Raw protocols across Ethernet, PPP, SLIP, FDDI, Token Ring, 802.11, and null interfaces. In addition to listening to live traffic, ngrep can also filter previous tcpdump grabs.

Author Jordan Ritter says that ngrep has traditionally been used to debug plaintext protocol interactions such as HTTP, SMTP, and FTP; to identify and analyze anomalous network communications, such as those between worms, viruses, and zombies; and to store, read, and reprocess pcap dump files while looking for specific data patterns.

You can also use ngrep to do the more mundane plaintext credential collection, as with HTTP basic authentication or FTP or POP3 authentication. Like all tools, it can be useful in the right hands and damaging if used by those with less than admirable intentions.

The link for this article located at NewsForge is no longer available.