0

I'm trying to process all server connections using tcpdump using python and it was working very well using this command:

tcpdump -tttt -nn 'tcp[tcpflags] & tcp-syn == tcp-syn'

Here is what it captures:

  • Any connections to and from the server from another machine
  • Running on the box, it will log a telnet to port 22

Here is what it doesn't:

  • if I run ssh localhost
  • anytime any server (or most processes) on the machine syn's to a listen port on the same machine

So I'm getting all traffic from the outside in and inside out, but nothing that is happening withing the machine.

I think I got some of the flags wrong, but I'm not sure what. Any ideas? I'm simply trying to monitor server connection activity inside a machine, but only getting a log when it's external.

legoscia
  • 39,593
  • 22
  • 116
  • 167
Lindy
  • 33
  • 1
  • 6

3 Answers3

0

Connections on localhost will be going over the lo interface. Try using the -i any option to make it listen to all network interfaces.

Kurt Stutsman
  • 3,994
  • 17
  • 23
  • Presumably you meant `-i any`, as this is Linux rather than OS X. (Either `-i any` or `-i all` works on newer versions of OS X, with Apple's tcpdump and libpcap, although they just document `-i all`.) –  Feb 18 '16 at 14:11
  • @GuyHarris Nice catch. I probably looked at the manpage on the wrong machine. I fixed the answer. – Kurt Stutsman Feb 18 '16 at 14:13
0

Use -i any to capture data of all interfaces, including loopback ("localhost to localhost")

leongold
  • 1,004
  • 7
  • 14
0

You can exclude your own IP (the ssh client IP) by 

    tcpdump -tttt -nn 'tcp[tcpflags] & tcp-syn == tcp-syn && ! host <ssh-client-ip>'

For example, if you ssh from 10.2.3.4, then the command should be

    tcpdump -tttt -nn 'tcp[tcpflags] & tcp-syn == tcp-syn && ! host 10.2.3.4'

Hope it helps.

packetie
  • 4,839
  • 8
  • 37
  • 72