Hi All, How can i filter packets using "capture filter" to filter syslog packets ? Thanks asked 20 Jun '11, 02:52  nirh |
One Answer:
so try "udp port 514" or "udp port syslog". answered 20 Jun '11, 11:35  Guy Harris ♦♦ |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
[[email protected]:Active] / # grep syslog /etc/servicessyslog 514/udpsyslog-conn 601/tcp # Reliable Syslog Servicesyslog-conn 601/udp # Reliable Syslog Service[[email protected]:Active] / #So you might want to use the filter "udp port 514 or port 601"
Note that the Reliable Syslog Service, as specified by RFC 3195, is very different from traditional syslog; it runs over BEEP, which runs over TCP.
While Wireshark has a BEEP dissector, it doesn't specifically know about the Reliable Syslog Service, so it might not dissect that as desired.
OK, learned something today, I did not know there was the BEEP protocol in between, actually, I did not know the reliable syslog service was more than just syslog over TCP.
On my NetScreen I can use syslog over TCP, but by default that uses port 514 as it turns out. I did not check the port before on my NetScreen, so I just grepped in my virtual F5 box (on which I was logged in anyways) and assumed 601 was for syslog over TCP.
So all-in-all one might want to capture with "port 514 or tcp port 601" :-)