How do I capture SYN tcpdump packets within a Linux server?

Question

I'm trying to process all server connections using tcpdump using python and it was working very well using this command:

tcpdump -tttt -nn 'tcp[tcpflags] & tcp-syn == tcp-syn'

Here is what it captures:

• Any connections to and from the server from another machine
• Running on the box, it will log a telnet to port 22

Here is what it doesn't:

• if I run ssh localhost
• anytime any server (or most processes) on the machine syn's to a listen port on the same machine

So I'm getting all traffic from the outside in and inside out, but nothing that is happening withing the machine.

I think I got some of the flags wrong, but I'm not sure what. Any ideas? I'm simply trying to monitor server connection activity inside a machine, but only getting a log when it's external.

Answer 1

Use -i any to capture data of all interfaces, including loopback ("localhost to localhost")