I'm trying to verify that a user is actually logging into my machine and I figured out that looking at tcpdump would be reasonable. I'm using the new omhttp module for Rsyslog to send logs via http from localhost to localhost (dest is localhost:8080/events).
tcpdump is called with the following command:
sudo tcpdump -i lo port 8080
then I generated some logs by echoing to logger and I get an output like this:
21:56:25.807778 IP localhost.40250 > localhost.webcache: Flags [P.], seq 2809:2965, ack 327, win 350, options [nop,nop,TS val 3037939874 ecr 3037939649], length 156
21:56:25.807789 IP localhost.webcache > localhost.40250: Flags [.], ack 2965, win 501, options [nop,nop,TS val 3037939874 ecr 3037939874], length 0
It seems like I'm generating traffic, but what is the localhost.webcache? I've never seen anything like this before and my cursory searches around the network don't bring any enlightenment.
Best Answer
webcacheis the name of the port number, as listed in/etc/services, in this case 8080. Use-nif you want to see actual numbers.