See who's doing what, with a grep for your network interface
The ngrep utility is an interesting packet capture tool, similar to tcpdump or snoop. It is unique in that it attempts to make it as easy as possible to match which captured packets to print, by using a grep compatible format (complete with regular expressions and a bunch of GNU grep's switches). It also converts the packets to ASCII (or hex) before printing.
For example, to see the contents of all http GET requests that pass through your router, try this:
# ngrep -q GET
If you're only interested in a particular host, protocol, or port (or other packet matching criteria), you can specify a bpf filter as well as a data pattern. It uses a syntax similar to tcpdump:
# ngrep -qi email@example.com port 25 T 10.42.4.7:65174 -> 18.104.22.168:25 [AP] RCPT TO:<firstname.lastname@example.org>.. T 22.214.171.124:25 -> 10.42.4.7:65174 [AP] 250 2.1.5 <email@example.com>... Recipient ok.. T 10.42.4.7:65174 -> 126.96.36.199:25 [AP] Date: Sun, 8 Sep 2002 23:55:18 -0700..Mime-Version: 1.0 (Apple Message fram ework v543)..Content-Type: text/plain; charset=US-ASCII; format=flowed..Sub ject: Greetings.....From: John Doe <firstname.lastname@example.org>..To: rob@noca t.net..Content-Transfer-Encoding: 7bit..Message-Id: <19DB8C16-C3C1-11D6-B23 9-0003936D6AE0@somewhere.else.com>..X-Mailer: Apple Mail v2)....What does t hat pgp command you mentioned do again?....Thanks,....--A Friend....
Since ngrep prints to STDOUT, you can do post-processing ...