Even better, starting in v11.2, there is an awesome undocumented feature that can help. It's a new "-p" flag to dump on "peer" flows.
Instructions:
"
Log on to CLI via SSH and start packet capture:
tcpdump -ni 0.0:nnnp -s 0 host client-ip -w /var/tmp/traffic_from_client.pcap
Replacing client-ip with IP of failing client.
ex. from bash
tcpdump -ni 0.0:nnnp -s 0 host 10.100.100.102 -w /var/tmp/traffic_from_client.pcap
Note, with the “-p” flag, you can narrow down by all traffic to that VIP as well if you put
tcpdump -ni 0.0:nnnp -s 0 host and port -w /var/tmp/traffic_to_vip.pcap
Ex.
tcpdump -ni 0.0:nnnp -s 0 host 1.1.1.1 and port 443 -w /var/tmp/traffic_to_vip.pcap
Now reproduce Issue with Failing Client:
After reproduction completes, type
Ctl-C
to stop the packet capture.
Note: Above capture takes advantage of new tcpdump flag "-p" that captures peer sides of the connection which is useful when traffic is snatted on the serverside. It requires a little workaround to reset/clear the filter internally ( running a different capture without the -p flag that won't match original filter )
tcpdump -ni 0.0:nnn -s 0 port 1
Type
Ctl -C
to stop the capture immediately after it started.
"
Voila! No more capturing an insane amount of traffic for that needle in a haystack on the serverside!
I wrote this (ugly way how we had to do it before):
SOL11555: Gathering data in preparation for a traffic impacting change to the BIG-IP system
http://support.f5.com/kb/en-us/solutions/public/11000/500/sol11555.html?sr=29863417
I'll send a solution update request to add this to the mix.