Monitoring network traffic with ngrep
July 27, 2007There are many tools to monitor network traffic. Wading through lines and lines of tcpdump output can be cumbersome sometimes. ngrep to the rescue. From their website:
ngrep strives to provide most of GNU grep's common features, applying them to the network layer.
To install ngrep on a Mac OS X machine you can use the port command if you have darwinports installed.
macbook:~ sudo port install ngrep
To monitor network traffic using the htt protocol use the following command:
macbook:~ sudo ngrep -d en0 -W byline port 80
##
T 66.35.250.209:80 -> 10.200.1.40:50710 [AP]
HTTP/1.1 200 OK.
Date: Fri, 27 Jul 2007 13:45:05 GMT.
Server: Apache/1.3.33 (Unix) PHP/4.3.10.
Last-Modified: Tue, 28 Nov 2006 13:54:21 GMT.
ETag: "219bab-160c-456c3f8d".
Accept-Ranges: bytes.
Content-Length: 5644.
Connection: close.
Content-Type: text/html.
[...]
To monitor the traffic to a certain host include the host information:
macbook:~ sudo ngrep -d en0 -W byline host google.com
Hint use ifconfig to figure out which device to use (in my case it is en0, it might be eth0 for example on your machine).
Ngrep homepage: http://ngrep.sourceforge.net/
For usage information you can find more information here: http://ngrep.sourceforge.net/usage.html.