We can use tshark to view traffic that reaches an interface. In my example I am looking for SYSLOG messages from a firewall destined to my instance of LibreNMS. LibreNMS listens for UDP traffic on port 514 of the eth0 interface from a specific IP address.
We’d like to filter traffic based on source ip address and protocol type.
Specify the interface
-i eth0
Specify the protocol
-O UDP
Specify packet capture count
-c
Write to a file for review
-w
#Use a display filter to limit view to a specific source IP
-R “ip.src==172.16.0.1”
Here’s the final product
tshark -i eth0 -O UDP -c 100 -w capture.pcap host a.b.c.d