ngrep命令是grep(grep是在文本中搜索字符串的工具)命令的网络版，他力求更多的grep特征，用于搜寻指定的数据包。正由于安装ngrep需用到libpcap库， 所以支持大量的操作系统和网络协议。能识别TCP、UDP和ICMP包，理解 bpf 的过滤机制。

        分析网络数据包，有Wireshark，它有着上千种设定、过滤器以及配置选项。它还有一个命令行版本Tshark。如果只是针对简单的任务，Wireshark就太重量级了，所以除非需要更强大的功能，一般情况下就用ngrep来处理了。Ngrep可以让你像类似grep处理文件的方式来处理网络封包。

伯克利包过滤(Berkeley Packet Filter,BPF)语言：http://www.cnblogs.com/zhongxinWang/p/4303153.html[出自:jiwo.org]

ngrep参数

dst host host       // True if the IP destination field of the packet is host, which may be either an address or a name.

src host host        // True if the IP source field of the packet is host.

host host
True if either the IP source or destination of the packet is host. Any of the above host expressions can be prepended with the
keywords, ip, arp, or rarp as in:
ip host host
相当于:

ether dst ehost
True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or a number (see ethers(3N) for
numeric format).

ether src ehost
True if the ethernet source address is ehost.

ether host ehost
True if either the ethernet source or destination address is ehost.

gateway host
True if the packet used host as a gateway. I.e., the ethernet source or destination address was host but neither the IP source
nor the IP destination was host. Host must be a name and must be found in both /etc/hosts and /etc/ethers. (An equivalent
expression is ether host ehost and not host host which can be used with either names or numbers for host / ehost.)

dst net net
True if the IP destination address of the packet has a network number of net. Net may be either a name from /etc/networks or a
network number (see networks(4) for details).

src net net        // True if the IP source address of the packet has a network number of net.

net net              // True if either the IP source or destination address of the packet has a network number of net.

net net mask mask        // True if the IP address matches net with the specific netmask. May be qualified with src or dst.

net net/len                     // True if the IP address matches net a netmask len bits wide. May be qualified with src or dst.

dst port port
True if the packet is ip/tcp or ip/udp and has a destination port value of port. The port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or
ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who traf-
fic, and port domain will print both tcp/domain and udp/domain traffic).
src port port        // True if the packet has a source port value of port.

port port
True if either the source or destination port of the packet is port. Any of the above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port        // which matches only tcp packets whose source port is port.

less length                  // True if the packet has a length less than or equal to length. This is equivalent to:
len <= length.

greater length            // True if the packet has a length greater than or equal to length. This is equivalent to:
len >= length.

ip proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names tcp,
udp or icmp. Note that the identifiers tcp and udp are also keywords and must be escaped via backslash (\), which is \\ in the
C-shell.

ip broadcast
True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks
up the local subnet mask.

ip multicast           // True if the packet is an IP multicast packet.

ip Abbreviation for:
ether proto ip

tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.

实例

针对Web流量，几乎总是想要加上-W byline选项，这会保留换行符，而-q选项可以抑制某些非匹配数据包而产生的输出。

抓取所有包含有GET或POST请求数据包的例子：ngrep –q –W byline “^(GET|POST) .*”

可以传入附加的报文过滤选项，比如限制匹配的报文只针对某个特定的主机，IP或端口。这里我们把所有流经Google的流量做一个过滤，只针对80端口且报文中包含“search”。例子：ngrep –q –W byline “search” host www.google.com and port 80