Forum Discussion

jack_10574's avatar
jack_10574
Icon for Nimbostratus rankNimbostratus
Nov 13, 2017

Tcpdump for tcp packet capture question

Hi all

 

Recently , I am perform a packet capture with tcpdump at F5 for the application .

 

Base on the tcpdump , I saw the TCP handshake are completed and then follow with client send sync connection to server only . I didn't see the server reply anything to client base on packet.

 

However , the messages transaction are completed and working properly.

 

I just wonder how can the message transaction are completed and success when I only saw client send sync connection to server only .

 

The tcpdump command run are tcpdump -s0 -ni 0.0 -w var/tmp/client/pcap

 

Can anyone enlightened me what shall the tcpdump command shall execute to see the entire traffic ? please see attached result which I use wireshark to filter client ip : 172.16.1.200

 

1 Reply

  • There's nothing wrong with your tcpdump syntax, you have used the

    -n 0.0
    switch to listen on all interfaces.

    If you right click in Wirehshark on the first SYN and select 'Follow TCP Stream' do you see any TCP FIN messages?

    Are you sure traffic is returning via the F5? You can also add a

    -e
    switch to list which layer 2 VLAN each packet is seen on.