I was missing the -t. I assumed that with just the port filter I would get results. So this gives just #s
ngrep 'dst port 80' -I x.cap but then ngrep -t '' 'dst port 80' -I x.cap gives results Collecting loads of data at the moment so going to try to write some good filters and scripts to parse through it to see what info I can get. BTW, I am running this version in case it makes a difference: ngrep: V1.45, $Revision: 1.93 $ Thanks for all the replies. Robin 2009/11/30 Nick Baronian <[email protected]>: > Toss a -v on the end. > ngrep -W byline -t '^(GET|POST) ' 'dst host 1.1.1.1 and dst port 80' > -I /tmp/out.pcap -v > > If it helps here is a little cheat sheet with some ngrep junk - > http://theinterw3bs.com/docs/PacketSniffCraft-CheatSheet.pdf > nick > > On Mon, Nov 30, 2009 at 12:51 PM, Robin Wood <[email protected]> wrote: >> Hi >> I'm playing with ngrep and if I run it without a filter it shows the >> packets but as soon as I add a filter all I get out is #'s. The number >> of #s matches the number of packets so the filter is working but it >> just doesn't show the data. >> >> I'm running this on a pcap and have tried running it as root just in >> case there were privilege problems but that didn't help. tcpdump shows >> the data correctly. >> >> A friend says he has seen this before but can't remember what caused it. >> >> Can anyone help? >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
