tcpdump on LTM

Question

I am trying to capture traffic of communications between clients and servers. I currently have the syntax of my tcpdump commands worked out to what I want. But, when I try to save it to a file type and export it off the LTM and try to open it in wireshark for analysis, I get the following error. "The file "test.pcap" isnt a capture file in a format Wireshark  understands." I receive this error from other file types as well. &nbsp;
Is there a standard file type I should Use? After I finish posting this I am going to try this with .bin instead of .pcap or its variants.  &nbsp;

nitass · Answer

when I try to save it to a file type and export it off the LTM and try to open it in wireshark for analysis, I get the following error. "The file "test.pcap" isnt a capture file in a format Wireshark understands."

what the tcpdump command did you use? was it -w option?
-w   Write  the raw packets to file rather than parsing and printing them out.  They can later be printed with the -r option.  Standard output is used if file is ââ-ââ.  When writing packets in this manner, the first packet in the file will be a pseudo  packet  indicating  the  command line  used  to  run  tcpdump and some system information.  This pseudo packet is not counted in the packets captured summary information nor when limiting the length of the capture with the -c option.

mohanraj82_1982 · Answer

Try to use in the below format&nbsp;
tcpdump -ni eth0 -s0 -w /var/tmp/capture.pcap&nbsp;

Forum Discussion

tcpdump on LTM

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Decrypting TLS with the tcpdump sslprovider

Run tcpdump on event

Arabic Blackboard F5 series [LTM Idea] باللغة العربية

Virtual Server graphical App for F5 LTM

Decrypting tcpdumps in Wireshark without key files (such as when FIPS is in use)