For years I have always written my tcpdump expression to be client ip and list all pool members using an 'or' statement to capture the "whole" conversation like:
tcpdump -nni 0.0 host 188.8.131.52 or host 184.108.40.206 or host 220.127.116.11 or host 18.104.22.168
This requires you to filter for the stream number in wireshark so you can discard the extra pool members you did not talk to. My question is, is there a way to change to an 'and' statement here using brackets or something like:
tcpdump -nni 0.0 host 22.214.171.124 and (host 126.96.36.199 or host 188.8.131.52 or host 184.108.40.206)
This way you only see your stream and you have a much smaller file size to work with.
Yes, that should work, just wrap the whole expression in single quotes, as follows;
tcpdump -nni 0.0 'host 220.127.116.11 and (host 18.104.22.168 or host 22.214.171.124 or host 126.96.36.199)'
More on expressions here btw: [http://packetpushers.net/masterclass-tcpdump-expressions/](More on expressions here btw: http://packetpushers.net/masterclass-tcpdump-expressions/)
Hmmmm. tcpdump took this as a valid expression but it captures 0 packets. I used my own IPs to make a connection and could show the stream with show sys connection.
F5 provides an additonal option on TCPDUMP.
Look for the 'F5 Ethernet Trailer'. By adding 'noise' you will get some very useful information.
There is a bunch of AskF5 solutions: SOL13637, SOL411, SOL7227, SOL5564.
DevCentral has an article on the subject and provides the source code for the wireshark plugin / dissector.