Does tcpdump capture packets on a port that is not listening to?

0
votes

I am trying to send some syslogs from server A to another server B on port 514. When running a tcpdump on server A, I can see that the logs are being sent on port 514 with destination IP address of server B.

On server B, I couldn't see any trace of logs coming in while doing tcpdump. After further investigation I noticed that server B is not listening on port 514 as it should be.

My question is whether tcpdump must capture those packets regardless if server B is listening on port 514 or not.

1
tcpdump
Yes, it captures packets even if the host doesn't have a listening socket open. What tcpdump command did you run on server B?John Kugelman

1 Answers

0
votes

Of course, if you run tcpdump only on server A, then whether or not server B listens on that port has no bearing on which ports the tcpdump on A records.

As you have diagnosed, the real operational problem is not tcpdump, but rather than server B is not operating as needed. Without an open TCP port on server B (or with that port blocked by some firewall), you cannot initiate a TCP session, and so you cannot send any messages that the other side actually acknowledges.