Log all activities of a device


I want to record all network activity of one device to a USB flash drive.
In fact, I would like to know what IPs it connects to and what ports are used.

Have you guys already done it before ?
Can you help me ?

Here is what I think I should do :

  1. Activate the log of the zone in which the device is located, isn't it ?
  2. Install tcpdump
  3. Script : tcpdump command that logs the activities of the device
  4. Launch the script with the destination as usb key

Thank you for your help.

Better use the iptables LOG target.

  1. Redirect the system log to an external USB drive.
  2. Insert the following in /etc/firewall.user
# Device IP address
IP="" #Example

# Log traffic device => router
iptables -A input_rule -s "$IP" -m limit --limit 5/sec -j LOG --log-prefix "router:"

# Log traffic device => internet
iptables -A forwarding_rule -s "$IP" -m limit --limit 5/sec -j LOG --log-prefix "internet:
  1. Restart the firewall service.
  2. Check the logs.
logread -e internet; logread -e router
1 Like

@pavelgl Thank you very much.

In fact, it's complicated to visualize well in a shell.
I would like to take the logs and visualise it on my computer in a Excel table or another program that can put it in a table so I can filter and visualize the needed lines.
Do you know how I can manage to do that ?

The logs are just text files, so you can import those into Excel.

You may have to do some formatting work.

1 Like

@anon89577378, I know its text file. Thanks

I wanted to know if you know good software that put the Iptable logs in good forms with colors and columns in order to make it more readable ?

Sorry I don't.

@anon50098793 What about that picture ?

you want something sortable with fancy columns right?

not sure how I can make it much clearer for you...

Ok, thanks.
I'll look at it asap.

1 Like

some caveats...

  • your pc the traffic is mirrored to has to be on all the time
    (so may or may not be suitable for long term use depending on your environment, if not see adblock for tcpdump header only capture to file)
  • does not currently support ipv6 or concurrent dual stack capture ( i have a hack for the former if you need it, and would only take a line or two so support the latter )