Port forwarding troubleshooting via Tcpdump

To filter for a specific host server which is hosted internally, append host and the IP address to the tcpdump command. To filter for host 10.4.0.28 which is an internal server IP and is trying to be accessed from outside on port 3389 use the following command:

tcpdump -nni eth0 host 10.4.0.28 and port 3389

You can also try to do tcpdump on the ISP IP which is binded with internal IP in which 223.192.71.145 is public IP and eth1 is WAN interface.

tcpdump -nni eth1 host 223.192.71.145 and port 3389