I'm trying to verify that a user is actually logging into my machine and I figured out that looking at tcpdump would be reasonable. I'm using the new omhttp module for Rsyslog to send logs via http from localhost to localhost (dest is localhost:8080/events).
tcpdump is called with the following command:
sudo tcpdump -i lo port 8080
then I generated some logs by echoing to logger and I get an output like this:
21:56:25.807778 IP localhost.40250 > localhost.webcache: Flags [P.], seq 2809:2965, ack 327, win 350, options [nop,nop,TS val 3037939874 ecr 3037939649], length 156
21:56:25.807789 IP localhost.webcache > localhost.40250: Flags [.], ack 2965, win 501, options [nop,nop,TS val 3037939874 ecr 3037939874], length 0
It seems like I'm generating traffic, but what is the localhost.webcache? I've never seen anything like this before and my cursory searches around the network don't bring any enlightenment.
