"the world's cheapest IPS" -- a friend
"cool, ngrep but better ;)" -- another friend


flowgrep is a basic IDS/IPS tool written in python as a way to help you investigate and manage your network. it works by sniffing traffic, reassembling TCP streams, and IP and UDP fragments into single packets, and allowing you to "grep" through their payloads using regular expressions. the quality of the regular expression engine is similar to Perl's. think of it as a marriage of tcpflow, tcpkill, and ngrep.

flowgrep's usage is quite simple:

$ flowgrep.py -h
./flowgrep: TCP stream/UDP/IP payload 'grep' utility
    Usage: ./flowgrep OPTIONS [FILTER]

    where OPTIONS are any of the following:
       -a [pattern]     match any stream with pattern
       -c [pattern]     match client stream with pattern
       -D [num]         distance score for libdistance-based match
       -d [device]      input device 
       -E [name]        string distance algorithm to use
                        (one of: levenshtein, damerau, hamming, jaccard)
       -e [string]      string to compare against for distance-based matches
       -F [file]        obtain server patterns from file, one per line
       -f [file]        obtain client patterns from file, one per line
       -i               case insensitive match
       -k               kill matched stream (TCP only)
       -l [dir]         log matched flows relative to dir (default: .)
       -r [file]        input file (in pcap(3) format)
       -s [pattern]     match server stream with pattern
       -u [username]    run as username (default: nobody)
       -V               print version information and exit
       -v               select non-matching input
       -x               print logged filenames (for use with xargs(1))

    [FILTER]            pcap(3) filter expression
      UDP and IP payloads will test any pattern (no stream to test).

you can specify any string or regular expression to look for and optionally set the stream to log or be killed (-l or -k, respectively). note that the kill option only works on TCP streams. you can look for expressions in the client or the server (or both) streams. note that for UDP and IP, both expressions are tested since no "stream" is established. you need root permissions to use this effectively since you are sniffing the network.

logged streams are written out as two streams for TCP streams or a single file for UDP and IP payloads that match. the payload for any matched stream is written out. files are named 'time-source-sport-dest-dport-proto' in the local directory. examples:

-rw-r--r--  1 nobody  jose    40 Oct 20 21:09 1098320995-
-rw-r--r--  1 nobody  jose     7 Oct 20 21:09 1098320995-
note that the files may contain binary data, or malicous data, so handle them with care. non-UDP and non-TCP payloads are not written using a port number, and the protocol is "protoN", where "N" is the number.


you can do measurements of particular traffic, you can build a very cheap IPS device (ie for mail-based worm infestations), disrupt spammers, or you can just sniff on your coworkers.

specific instances:

"By now everyone should appreciate just how powerful and useful Flowgrep can be." Richard Bejtlich on his blog on 28 Jan, 2005 (see below).


BSD 3-clause


jose nazario <jose@monkey.org>