Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

TCPDUMP Command

Hi, I need a TCPDUMP command to capture traffic from end to end. Could you please tell me a TCPDUMP command to capture traffic coming to my virtual IP A.A.A.A from any client and going to a pool member B.B.B.B or C.C.C.C.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The incoming connection is terminated by BigIP, and BigIP initiates a second connection from itself to the pool members. You will need 2 dumps for this.

(vlan_810_cs and vlan_820_ss are exact names of my VLAN objects)

tcpdump -i vlan_810_cs dst A.A.A.A -nn -vvv -w /var/tmp/external.pcap
tcpdump -i vlan_820_ss dst B.B.B.B or C.C.C.C -nn -vvv -w /var/tmp/internal.pcap
0
Comments on this Answer
Comment made 26-Mar-2018 by crodriguez

In some cases, you can do this with one TCPDUMP command by using the "p" modifier on the VLAN name. For example, if A.A.A.A normally receives traffic on the VLAN named "external", and you want to capture both client-side traffic (from clients to A.A.A.A) and server-side traffic (to any of the pool members associated with the virtual server):

tcpdump -i external:p dst A.A.A.A ....

You can then add other TCPDUMP options as desired, such as those provided by Hannes above.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can try something like below. Self-IP in the below command can be self IP of a Vlan on your Big-IP or self-IP of Big-IP itself.

tcpdump -nni vlan:nnnp '(host A.A.A.A and port <vs-port>)' or '(host <Self-IP> and B.B.B.B)' or '(host <self-IP> and C.C.C.C)' -s0 -vvv -W /var/tmp/capture.pcap

Ref--> https://devcentral.f5.com/questions?pid=54715

0