NimbostratusHi Experts
How can I write single tcpdump command to capture client side and server side traffic. In my case there is no SNAT, as server gateway is F5. I mean:
Client Side: To/From VIP <-> client AND Server Side: To/From pool member
Can I use any tcp flag or something?
Thanks
Nimbostratustcpdump -ni 0.0
remember to "grep" because You will have a huge amount of informationYou can specify next filter: host < client_ip> or 'host and host ' If you are using automap, the eggress ip is your floating IP, if you are using SNAT pool then IP from that pool, if none of these then f5 egress ip is eq to client ip
You can use interface 0.0 which force tcpdump listen on all interfaces
refer to tcpdump manual page to add additional flags if required and preparing your capture string
NimbostratusYou can use "p" interface modifier to capture flow (ie. both external and internal side traffic).
"Capturing traffic with TMM information for a specific traffic flow
Beginning in BIG-IP 11.2.0, you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0:
tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1
Once tcpdump identifies a related flow, the flow is marked in TMM, and every subsequent packet in the flow (on both sides of the BIG-IP system) is written to the capture file."
For more information see: K13637: Capturing internal TMM information with tcpdump
