Matching all outgoing (and only outgoing) traffic with tcpdump
Task: match all outgoing traffic (not including local services, e.g. 80, 22, 25). Actually, not as simple as it could have been. Moreover, contrary to a manpage, my tcpdump does not seem to support “portrange”. Hopefully, can do something like this: tcp[0:2] for source port and tcp[2:2] for destination port.
At the end the rule is as follows: tcpdump -n -i eth0 “(udp and ( ((dst host $MYIP) and (udp[2:2] >= 1024)) or ((src host $MYIP)and(udp[0:2] >= 1024)) )) or (tcp and ( ((dst host $MYIP) and (tcp[2:2] >= 1024)) or ((src host $MYIP)and(tcp[0:2] >= 1024)) ) and (not port (9030||9001)))”