I can never remember the syntax to do this, so I posted it here.
ngrep -d eth1 -W byline -qilw 'get' tcp dst port 80
-d eth1 (monitor eth1)
So why would one want to do this?
- Monitor requests on a web server with many websites. Sometimes it can be difficult to determine which site is being hammered
- Observe malware as it phones home. This works great if your linux box is acting as the gateway for your network
- Spy on your coworkers 🙂
- Reverse engineer licensing schemes
- … you get the idea