Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

tcpdump with route domains

Hi all,

i try to set up a LTM with route domains and i'm looking for a tcpdump command where i can see pakets in route domain 1. If i do a tcpdump -i i can't see any pakets i'm interested in.
Also when i do an ifconfig -a i do not see ip addresses from interfaces which are located in route domain 1. I only see the name of the VLAN which i set up in route domain 1 but whithout any IPv4 address.
Can anyone give me a hint?
THX

regards
Karsten
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I don't believe route domains affect the behaviour of the TCPDump, so what you seeing is unusual.

At first guess I would say DMZ is not in route domain 1, but you have obviously checked that.

Are you running the tcpdump on LB1 or LB2?

Cheers
Josh
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I think the "tcpdump -i vlan_name" command should do the job for you. This will capture all addresses on the vlan. Just use the name of the vlan on the routing domain.

If you want to write it out to a file use "tcpdump -i vlan_name -w /var/tmp/filename.dmp"

If you are filtering for a specific address, I think you may need to add the domain route specification, but not sure.

Cheers
Josh
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Josh,

this is exact the command how it works when i use no route domains but with route domains i see nothing.
I do a ping from LB1 to LB2 in Vlan with name DMZ
Now i have the following commands running:

PING 172.27.50.6%1(172.27.50.6%1) 56 data bytes
64 bytes from 172.27.50.6%1: icmp_seq=0 ttl=64 time=1.89 ms
64 bytes from 172.27.50.6%1: icmp_seq=1 ttl=64 time=2.46 ms
64 bytes from 172.27.50.6%1: icmp_seq=2 ttl=64 time=1.01 ms
64 bytes from 172.27.50.6%1: icmp_seq=3 ttl=64 time=0.964 ms
64 bytes from 172.27.50.6%1: icmp_seq=4 ttl=64 time=1.46 ms

and in another window

tcpdump -i DMZ
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on DMZ, link-type EN10MB (Ethernet), capture size 108 bytes
01:13:55.375340 e8:04:62:4c:09:81 (oui Unknown) > 01:00:0c:cc:cc:cd (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
01:13:57.388561 e8:04:62:4c:09:81 (oui Unknown) > 01:00:0c:cc:cc:cd (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50

But there is nothing to see from the icmp pakets.





0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
DMZ is set up in route domain 1 and also the destination ip 172.27.50.6. This is the ip from LB2 and i do the tcpdump and ping on LB1 (172.27.50.5)

But what i just noticed is that when i start the tcpdump before i start the ping i can see icmp pakets in the dump. If i start first the ping and then the tcpdump i see nothing. That's crazy!
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
i rarely run tcpdump on physical or vlan interface. usually i run it on 0.0.
# tcpdump -nni 0.0:nnn -s0 -w /var/tmp/

anyway, i think it should show up. if i don't misremeber, it will be in ipv6 format.

cheer!
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This SOL below says to run a tcpdump on 0.0 and it captures all.

http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It is also important to note that you should not be in a non-default route domain. So to ensure you are in the default route domain run:

# rdsh 0

and then run the tcpdump using the 0.0 interface, so that you capture on all vlans.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

When using tcpdump to capture traffic in a non-default route domain, F5 recommends that you run the tcpdump command from the default route domain (route domain 0), and specify interface 0.0. For example, the following command captures traffic from all VLANs in all route domains when invoked from the default route domain: tcpdump -ni 0.0

See the full solution: SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP system http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html?sr=37712322

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Running tcpdump in a route domain

Recommendations

When you use tcpdump to capture traffic in a non-default route domain, F5 recommends that you run the tcpdump command from the default route domain (route domain 0), and specify interface 0.0. Note: If you specify interface 0.0 when you run tcpdump, it captures traffic traversing all configured VLANs on the BIG-IP system.

For example, the following command captures traffic from all VLANs in all route domains when you invoke it from the default route domain:

tcpdump -ni 0.0

Limitations

The tcpdump utility does not capture traffic when you run it from a non-default route domain. For example, if you use the rdsh utility to change the shell to a non-default route domain and run the tcpdump command, it does not capture any traffic. To capture traffic, use the following command to change back to the default route domain: rdsh 0

You can then run the tcpdump -ni 0.0 command to capture all route domain traffic.

0