Debian 7.11 - How to capture SMPP all arrived and sent packets by some ports

tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 --direction=in --direction=out -w /home/admin/dump1.cap

--direction=in for the incoming traffic --direction=out for the outgoing traffic.

More you can find on the manual page of tcpdump. http://www.tcpdump.org/tcpdump_man.html

This can happen if your traffic is going through an ipsec tunnel (check whether this is the case by running ipsec statusall). To capture decrypted packets you can add IPtables rules to forward ipsec traffic to the nflog interface:

iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Then tcpdump the nflog interface:

tcpdump -i nflog:5 -y IPV4 -s0 -A port 3727 or port 5016 or port 3724

Remember to remove the nflog rules when you're done!

iptables -t mangle -D PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -D POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Source: https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump