NimbostratusHi, I need a TCPDUMP command to capture traffic from end to end. Could you please tell me a TCPDUMP command to capture traffic coming to my virtual IP A.A.A.A from any client and going to a pool member B.B.B.B or C.C.C.C.
NimbostratusThe incoming connection is terminated by BigIP, and BigIP initiates a second connection from itself to the pool members. You will need 2 dumps for this.
(vlan_810_cs and vlan_820_ss are exact names of my VLAN objects)
tcpdump -i vlan_810_cs dst A.A.A.A -nn -vvv -w /var/tmp/external.pcap
tcpdump -i vlan_820_ss dst B.B.B.B or C.C.C.C -nn -vvv -w /var/tmp/internal.pcap
In some cases, you can do this with one TCPDUMP command by using the "p" modifier on the VLAN name. For example, if A.A.A.A normally receives traffic on the VLAN named "external", and you want to capture both client-side traffic (from clients to A.A.A.A) and server-side traffic (to any of the pool members associated with the virtual server):
tcpdump -i external:p dst A.A.A.A ....
You can then add other TCPDUMP options as desired, such as those provided by Hannes above.
NacreousThe incoming connection is terminated by BigIP, and BigIP initiates a second connection from itself to the pool members. You will need 2 dumps for this.
(vlan_810_cs and vlan_820_ss are exact names of my VLAN objects)
tcpdump -i vlan_810_cs dst A.A.A.A -nn -vvv -w /var/tmp/external.pcap
tcpdump -i vlan_820_ss dst B.B.B.B or C.C.C.C -nn -vvv -w /var/tmp/internal.pcap
In some cases, you can do this with one TCPDUMP command by using the "p" modifier on the VLAN name. For example, if A.A.A.A normally receives traffic on the VLAN named "external", and you want to capture both client-side traffic (from clients to A.A.A.A) and server-side traffic (to any of the pool members associated with the virtual server):
tcpdump -i external:p dst A.A.A.A ....
You can then add other TCPDUMP options as desired, such as those provided by Hannes above.
AltostratusYou can try something like below. Self-IP in the below command can be self IP of a Vlan on your Big-IP or self-IP of Big-IP itself.
tcpdump -nni vlan:nnnp '(host A.A.A.A and port )' or '(host and B.B.B.B)' or '(host and C.C.C.C)' -s0 -vvv -W /var/tmp/capture.pcap
Ref--> https://devcentral.f5.com/questions?pid=54715