This the command I use to track down P2P conenctions through my networks:

ngrep -t -d ETH00:00 -q -i -W single -l \

Note: it should all be on one line.

-i is ignore case
-w is word-regex (expression must match as a word)
-l is make stdout line buffered
-t is print timestamp every time a packet is matched
-W is set the dump format (normal, byline, single, none)
-d is use specified device instead of the pcap default


Bad Behavior has blocked 194 access attempts in the last 7 days.