Perhaps one of the most important network monitoring tool in linux out there ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
ngrep has traditionally been used to debug plaintext protocol interactions such as HTTP, SMTP, FTP, etc., to identify and analyze anomalous network communications such as those between worms, viruses and/or zombies, and to store, read and reprocess pcap dump files while looking for specific data patterns. On the other hand, it can be used to do the more mundane plaintext credential collection as with HTTP Basic Authentication, FTP or POP3 authentication, and so forth. Like all useful tools, it can be used for good and bad.
ngrep can be easily setup tp monitor certain ports for plaintext packets, by using simple commands as
ngrep -d any port 80
This will monitor plaintext packets for port 80 when you are browsing the web.
Or get more specific information with this command:
ngrep -d any -W byline port 80
So now we know that linux.com (22.214.171.124) is using the above server with above mentioned mods; lets verify this information with netcraft: http://toolbar.netcraft.com/site_report?url=linux.com and confirmed.
There are many other usage of ngrep I suggest you check out the man page and also their website.Hacking Hacking Tools Linux Commands/Tools