I'm using following code for capturing incoming and outgoing tcp packets by ports:
tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 -w /home/admin/dump1.cap
But tcpdump captures only incoming packets, I need incoming and outgoing packets at the same time. Anybody know where my mistake?
Thanks in advance.
This can happen if your traffic is going through an ipsec tunnel (check whether this is the case by running ipsec statusall). To capture decrypted packets you can add IPtables rules to forward ipsec traffic to the nflog interface:
iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
Then tcpdump the nflog interface:
tcpdump -i nflog:5 -y IPV4 -s0 -A port 3727 or port 5016 or port 3724
Remember to remove the nflog rules when you're done!
iptables -t mangle -D PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -D POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
Source: https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump