Wireshark - Capture syslog traffic form local workstation
IMO Easiest way is to capture UDP port 514. udp.port==514
Alternatively you can try to capture all traffic going to ip.addr=="Your Syslog Server"
Related videos on Youtube
dmckenna
Updated on September 18, 2022Comments
-
dmckenna over 1 year
I am using wireshark version 1.10.3 on windows 7 x64 enterprise. I am trying to capture all outbound UDP traffic, in particular syslog traffic.
I have tried a capture filter UDP, but all I can see it DNS and NTP traffic.
I have used the following script to send UDP messages to a remote syslog server.
$syslogClient = new-object system.net.sockets.udpclient syslog_server_ip, 514;
$message = "Test syslog $(get-date)"
[byte[]] $rawMSG = $(new-object System.Text.ASCIIEncoding).GetBytes($message)
$syslogClient.Send($rawMSG, $rawMSG.Length);
$syslogClient.close();
The messages get to the syslog server but I cannot see them within the wireshark capture window.
Has anybody managed to capture outbound syslog messages within wireshark, or is there something that I am missing?
Regards, David
-
mfinni over 10 yearsAlso, post your capture filter.
-
-
Zoredache over 10 yearsThose are display filters, not capture filters.
-
dmckenna over 10 yearsUsed NO capture filter and set display filter to udp.port==514 I have also reinstalled my OS since and have a clean install of wireshark. Its working perfectly now. Thanks guys!