ngrep is a powerful tool for real time searching and filtering network packets. According to the Linux man page:

ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump(8) and snoop(1).


The first thing you will need to do is install some kind of FTP server. For this example I used  vsftp.

Installing vsftpd with apt:

apt-get install vsftpd

Installing vsftpd with yum:

yum install vsftpd


The second thing you will need to do is install ngrep.

Installing ngrep with apt:
apt-get install ngrep

Installing ngrep with yum:
yum install ngrep

For the best results you will also need two computers. I used two Raspberry Pis.

Getting Started

On the FTP server (target box) fire up ngrep with the following command (image 1):

sudo ngrep -d <interface> port 21


On the client box log into the FTP server as you normally would (image 2):

ftp <server name/ip>

When prompted enter your user name

When prompted enter your password


Check the results on the target box (image 3).  As you can see on the target box highlighted with the white circles is the FTP username (ftpaccount) and the password (1234).




Click to enlarge (1)

Click to enlarge (2)

Click to enlarge (3)