You want to watch network traffic, searching for strings in the transmitted data.

Use ngrep .

To search for packets containing data that matches a regular expression and protocols that match a filter expression:

# ngrep [grep-options] regular-expression [filter-expression]

To search instead for a sequence of binary data:

# ngrep -X hexadecimal-digits [filter-expression]

To sniff packets and save them in a file:

# ngrep -O filename [-n count] [-d interface] [-s snap-length] \
  regular-expression [filter-expression]

To read and display the saved network trace data:

$ ngrep -I filename 
               regular-expression [filter-expression]

ngrep is supplied with SuSE but not Red Hat; however, it is easy to obtain and install if you need it. Download it from http://ngrep.sourceforge.net and unpack it:

$ tar xvpzf ngrep-*.tar.gz

compile it:

$ cd ngrep
$ ./configure --prefix=/usr/local
$ make

and install it into /usr/local as root:^[8]

# mkdir -p /usr/local/bin /usr/local/man/man8
# make install

Sometimes we are interested in observing the data delivered by network packets, known as the payload . Tools like tcpdump [Recipe 9.16] and especially Ethereal [Recipe 9.17] can display the payload, but they are primarily designed for protocol analysis, so their ability to select packets based on arbitrary data is limited.^[9]

The ngrep command searches network traffic for data that matches extended regular expressions, in the same way that the ...