Forum Discussion
3 Replies
- Cory_50405Noctilucent
Yes there is. What you are looking for is in here:
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html
- IheartF5_45022Nacreous
Let's say your client is 1.1.1.1, VIP (2.2.2.2) is on port 80, your self-ip is 3.3.3.3 and your server ports are 8081, your tcpdump would be;
tcpdump -i0.0 -s0 -w/var/tmp/proxy.cap \(host 1.1.1.1 and host 2.2.2.2 and port 80\) or \(host 3.3.3.3 and port 8081\)
If port 8081 is used for other server pools also though you will end up with lots of noise and would have to add in the server IPs or network (if it can be summarised) to only get the traffic you want. If you know which server they will use you can narrow down even further (let's say it's 5.5.5.5);-
tcpdump -i0.0 -s0 -w/var/tmp/proxy.cap \(host 1.1.1.1 and host 2.2.2.2 and port 80\) or \(host 3.3.3.3 and port 8081 and host 5.5.5.5\)
Hopefully that gives you enough idea of how to target both sides of the conversation.
- nitassEmployee
if you are using 11.2.0 or later, you can use nnnp interface modifier as Cory suggested.
Capturing traffic with TMM information for a specific traffic flow Beginning in BIG-IP 11.2.0, you can use the 'p' interface modifier with the 'n' modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0: tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1 Once tcpdump identifies a related flow, the flow is marked in TMM, and every subsequent packet in the flow (on both sides of the BIG-IP system) is written to the capture file.
sol13637: Capturing internal TMM information with tcpdump
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html