ngrep snippets

Debugging tools

Tagged dstat, ngrep, perf, strace, tcpdump, wireshark, netcat, netstat, dtrace, dtruss, debugging  Languages bash

IO and system calls

  • dstat

Monitor network and disk IO:

dstat -t
  • dtrace / dtruss (OSX)

To get the list of available system calls use:

sudo dtrace -ln 'syscall:::entry'

Find which files a program is opening (same as strace -f -p $PID -e open):

sudo dtruss -t open_nocancel -p $PID

Also see ls /usr/bin/.d*

  • strace (Linux)

Monitor system calls made by an app:

strace ruby app.rb

Writes all system calls made by SSH, and subprocesses (-f), to a file named ssh.txt:

strace -f -o ssh.txt ssh

Spy on all ‘open’ system calls made by a process:

strace -f -p $PID -e open

Use these commands to see a list of all available system calls (Linux only):

man syscalls
  • opensnoop

Monitor what files are being opened:

opensnoop -p $PID
strace -e open -p $PID


  • netcat

Pipe/copy data over a network:

cat request.txt | nc 80
  • netstat

Find which programs are listening to which port:

sudo netstat -tunapl
lsof -i -P # OSX
  • ngrep

Listen to traffic containing the string “localhost” on any network interface:

sudo ngrep -d any localhost
  • tcpdump

Listen to traffic containing the string “localhost” on any network interface:

sudo tcpdump port 80 -w http.pcap

Writes a pcap file that can be analyzed with Wireshark.

  • Wireshark

Analyze pcap files from ngrep, tcpdump, etc:

wireshark http.pcap

CPU (Linux)

  • perf

Run perf, a sampling profiler, to see where your application is spending its time:

sudo perf record ruby app.rb

Find out what the program using the most CPU time is doing:

sudo perf top

Find out if an app is using the L1 cache which is ~200 times faster than RAM:

sudo perf stat -e L1-dcache-load-misses my_golang_app


How to inspect HTTP traffic with tcpdump and ngrep

Tagged tcpdump, http, ngrep  Languages bash


ngrep is one alternative to tcpdump:

$ sudo ngrep -q -d lo0 -W byline host localhost and dst port 3002

The command will listen to interface lo0 and print all traffic destined for localhost port 3002.


Write traffic on port 80 (HTTP) to a file. Rotate log file after 10Mb. Keep 5 files.

$ sudo tcpdump port 80 -n -i any -w /tmp/traffic -p -C 10 -W 5 -s 1500

This gist shows how to monitor HTTP requests.

On OSX remember to install tcpdump with brew:

$ brew install tcpdump