Forum Discussion

Valentine_96813's avatar
Valentine_96813
Icon for Nimbostratus rankNimbostratus
Sep 20, 2013

tcpdump with multiple pool members

For years I have always written my tcpdump expression to be client ip and list all pool members using an 'or' statement to capture the "whole" conversation like:

 

tcpdump -nni 0.0 host 1.1.1.1 or host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3

 

This requires you to filter for the stream number in wireshark so you can discard the extra pool members you did not talk to. My question is, is there a way to change to an 'and' statement here using brackets or something like:

 

tcpdump -nni 0.0 host 1.1.1.1 and (host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3)

 

This way you only see your stream and you have a much smaller file size to work with.

 

management
TMSH

7 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 20, 2013

    Yes, that should work, just wrap the whole expression in single quotes, as follows;

    tcpdump -nni 0.0 'host 1.1.1.1 and (host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3)'

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 20, 2013

    More on expressions here btw: [http://packetpushers.net/masterclass-tcpdump-expressions/](More on expressions here btw: http://packetpushers.net/masterclass-tcpdump-expressions/)

     

  • Valentine_96813's avatar
    Valentine_96813
    Icon for Nimbostratus rankNimbostratus
    Sep 20, 2013

    Hmmmm. tcpdump took this as a valid expression but it captures 0 packets. I used my own IPs to make a connection and could show the stream with show sys connection.

     

    • StephanManthey's avatar
      StephanManthey
      Icon for MVP rankMVP
      Sep 20, 2013
      Perhaps you have OneConnect or a SNAT applied? The 2.x.x.x are your poolmembers? 1.x.x.x. is the client?
    • What_Lies_Bene1's avatar
      What_Lies_Bene1
      Icon for Cirrostratus rankCirrostratus
      Sep 20, 2013
      Could you post the connection table entries? Suitably redacted of course.
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Sep 20, 2013

    F5 provides an additonal option on TCPDUMP. Look for the 'F5 Ethernet Trailer'. By adding 'noise' you will get some very useful information.

     

    There is a bunch of AskF5 solutions: SOL13637, SOL411, SOL7227, SOL5564.

     

    DevCentral has an article on the subject and provides the source code for the wireshark plugin / dissector.