Question & Answer
Question
How do you use tcpdump with grep to capture specific syslog packets on QRadar systems?
Cause
When performing a tcpdump command it can be useful to grep the contents for a specific string. However, this will print the payload and hide the source and destination headers.
Answer
When using tcpdump with grep, use the -C (uppercase) flag with a value like 10 in order for the packet header information to be displayed. This will show 10 lines before the matched line and 10 lines after. The following command is a basic tcpdump template that includes grep:
For example, you are investigating which managed host is sending rsync timeout messages to the console. You are unable to find this information in the event payload on the console nor from the source and destination IP addresses. You can run the following command to capture the packets that are associated with the messages:
tcpdump -nnAs0 -i <interface> host <host ip> and port <port> | grep -C 10 -i <grep pattern>For example, you are investigating which managed host is sending rsync timeout messages to the console. You are unable to find this information in the event payload on the console nor from the source and destination IP addresses. You can run the following command to capture the packets that are associated with the messages:
tcpdump -nnAs0 -i eth0 port 514 | grep -C 10 -i rsync
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Network Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
07 January 2021
UID
swg21990653