Wireshark - Capture syslog traffic form local workstation

Question

I am using wireshark version 1.10.3 on windows 7 x64 enterprise. I am trying to capture all outbound UDP traffic, in particular syslog traffic.

I have tried a capture filter UDP, but all I can see it DNS and NTP traffic.

I have used the following script to send UDP messages to a remote syslog server.

$syslogClient = new-object system.net.sockets.udpclient syslog_server_ip, 514;

$message = "Test syslog $(get-date)"

[byte[]] $rawMSG = $(new-object System.Text.ASCIIEncoding).GetBytes($message)

$syslogClient.Send($rawMSG, $rawMSG.Length);

$syslogClient.close();

The messages get to the syslog server but I cannot see them within the wireshark capture window.

Has anybody managed to capture outbound syslog messages within wireshark, or is there something that I am missing?

Regards, David

Yes, I "manage" to use Wireshark all the time. Are you capturing on the correct adapter? Start without a filter and go from there. — mfinni, Nov 20 '13 at 15:28

score 0 · Accepted Answer · answered Nov 20 '13 at 14:59

0

IMO Easiest way is to capture UDP port 514. udp.port==514

Alternatively you can try to capture all traffic going to ip.addr=="Your Syslog Server"

answered Nov 20 '13 at 14:59

Tim Brigham

1

Those are display filters, not capture filters. – Zoredache Nov 20 '13 at 16:35
Used NO capture filter and set display filter to udp.port==514 I have also reinstalled my OS since and have a clean install of wireshark. Its working perfectly now. Thanks guys! – dmckenna Nov 21 '13 at 12:02

1 Answers1