Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

tcpdump with multiple pool members

For years I have always written my tcpdump expression to be client ip and list all pool members using an 'or' statement to capture the "whole" conversation like:

tcpdump -nni 0.0 host 1.1.1.1 or host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3

This requires you to filter for the stream number in wireshark so you can discard the extra pool members you did not talk to. My question is, is there a way to change to an 'and' statement here using brackets or something like:

tcpdump -nni 0.0 host 1.1.1.1 and (host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3)

This way you only see your stream and you have a much smaller file size to work with.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Yes, that should work, just wrap the whole expression in single quotes, as follows;

tcpdump -nni 0.0 'host 1.1.1.1 and (host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3)'

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

More on expressions here btw: [http://packetpushers.net/masterclass-tcpdump-expressions/](More on expressions here btw: http://packetpushers.net/masterclass-tcpdump-expressions/)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hmmmm. tcpdump took this as a valid expression but it captures 0 packets. I used my own IPs to make a connection and could show the stream with show sys connection.

0
Comments on this Answer
Comment made 20-Sep-2013 by Stephan Manthey 3630
Perhaps you have OneConnect or a SNAT applied? The 2.x.x.x are your poolmembers? 1.x.x.x. is the client?
0
Comment made 20-Sep-2013 by What Lies Beneath 6527
Could you post the connection table entries? Suitably redacted of course.
0
Comment made 20-Sep-2013 by Valentine 207
Yes, SNAT is applied the VIP I was using. Bad example.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

F5 provides an additonal option on TCPDUMP. Look for the 'F5 Ethernet Trailer'. By adding 'noise' you will get some very useful information.
There is a bunch of AskF5 solutions: SOL13637, SOL411, SOL7227, SOL5564.
DevCentral has an article on the subject and provides the source code for the wireshark plugin / dissector.

0
Comments on this Answer
Comment made 20-Sep-2013 by What Lies Beneath 6527
Good point, thanks.
0