This article applies to:
Question:
- I'm using tcpdump and grep to check on data flow into my SIEM system
- There is too much data and it scrolls too quickly. How can I save the data so that I can review and analyze it later?
Procedure:
To save the output of a command for later viewing, you can send the results straight to a text file using the standard out operator ">" (or ">>", see the note below).
To allow files to be easily found, use mkdir to create a temporary directory to store the files:
Next, experiment with tcpdump and grep to filter the data you need.
Once you have worked out the appropriate commands and filters in place, run the command and use "> /{directory}/{text file name}" to send the results to a text file.
Your command should look something like this:
The below screenshot shows how to check a portion of the text file for the output (you may want to navigate back to the root directory / in order to simplify entering the file name):
Note:
Once the original file has been created, using ">" to send more data to the same file will overwrite the data that already exists.
To append data, use the ">>" operator instead.