IBM Support

QRadar: Tcpdump with grep to capture specific syslog packet

Question & Answer


How do you use tcpdump with grep to capture specific syslog packets on QRadar systems?


When performing a tcpdump command it can be useful to grep the contents for a specific string. However, this will print the payload and hide the source and destination headers.


When using tcpdump with grep, use the -C (uppercase) flag with a value like 10 in order for the packet header information to be displayed. This will show 10 lines before the matched line and 10 lines after. The following command is a basic tcpdump template that includes grep:

tcpdump -nnAs0 -i <interface> host <host ip> and port <port> | grep -C 10 -i <grep pattern>

For example, you are investigating which managed host is sending rsync timeout messages to the console. You are unable to find this information in the event payload on the console nor from the source and destination IP addresses. You can run the following command to capture the packets that are associated with the messages:

tcpdump -nnAs0 -i eth0 port 514 | grep -C 10 -i rsync

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Network Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021