ngr

Grep your network traffic — including HTTPS.

ngr is a modern Rust take on ngrep. It captures packets, reassembles TCP streams, optionally decrypts TLS using SSLKEYLOGFILE, then matches a regular expression against the payload.

$ ngr "GET /api" --tls
2026-05-28T10:11:12  10.0.0.5:42312 → 10.0.0.10:443  HTTP/2  stream=1
                     GET /api/users
                     host: example.com
                     authorization: Bearer eyJhbGciOiJSUzI1NiJ9...

✨ Why

• TLS keylog decryption — match patterns inside HTTPS / HTTP-2 / gRPC.
• TCP reassembly — never miss a match because it spans packet boundaries (ngrep's classic blind spot).
• JSON output — -o ndjson pipes straight into jq or Vector.
• Single static binary — no Python, no libpcap-dev required at runtime (Linux musl build).
• eBPF backend (Phase 2) — capture without root, with CAP_BPF only.

📦 Install

# From crates.io
cargo install ngr

# Prebuilt binaries (Linux / macOS / Windows-Npcap)
curl -fsSL https://github.com/rustfika/ngr/releases/latest/download/install.sh | sh

⚡ Quickstart

ngr "GET /"                              # match plain HTTP traffic anywhere
ngr "POST /login" --bpf "tcp port 80"    # narrow with a tcpdump-style filter
ngr "Authorization" --tls                # decrypt HTTPS, requires SSLKEYLOGFILE
ngr "" -o ndjson | jq 'select(.l7)'      # JSON pipe to jq
ngr "ERROR" --direction s2c              # only match server-to-client traffic
ngr "" -i lo --tls --tui                 # interactive TUI live view

📊 Benchmark

Coming with 0.1.0 release. Will compare against ngrep 1.47 on the CAIDA anonymized internet traces, measuring throughput (Mbps), CPU%, RSS, and p99 packet latency.

🆚 vs ngrep

	ngrep 1.47	ngr
Language	C	Rust
TCP reassembly	❌	✅
TLS decryption	❌	✅ (via SSLKEYLOGFILE)
HTTP/2 awareness	❌	✅
JSON output	❌	✅
eBPF backend	❌	✅ (P2, Linux)
TUI live mode	❌	✅ (P2)
pcapng output	❌	✅ (P2)
Maintained	❓ (sparse)	✅

🛠️ How it works

ngr is built on the obs library family:

┌───────────────┐    ┌───────────────┐    ┌───────────────┐
│  obs-capture  │ ─► │  obs-decode   │ ─► │   ngr match   │
│ (libpcap/eBPF)│    │ (TCP reasm +  │    │   + render    │
└───────────────┘    │  HTTP/TLS)    │    └───────────────┘
                     └───────────────┘
                              ▲
                     ┌───────────────┐
                     │   obs-tls     │
                     │ (SSLKEYLOGFILE│
                     │  decryption)  │
                     └───────────────┘

For internals, see DESIGN.md.

🔗 Related tools

If you find ngr useful, you might also enjoy:

• td — a modern tcpdump with JSON output.
• iop — an eBPF iotop alternative.

🤝 Contributing

See CONTRIBUTING.md. Bug reports and pcap fixtures very welcome.

License

MIT OR Apache-2.0 at your option.

Acknowledgements

ngr stands on the shoulders of:

• ngrep by Jordan Ritter — the original.
• Wireshark — protocol decoding reference.
• libpcap — the lingua franca of packet capture.