How to view TCPDump on LTM

Question

At present i run tcpdump command and get the log file from F5/root folder to download my system by using sftp and view the logs!&nbsp;
is there way i can see logs from tmsh command line  , live traffic flow between hosts.
Like Cisco products we do!  Where source and destination address and ports we can see&nbsp;
Thanks in advance&nbsp;

jad_tabbara__j1 · Answer

Hello, &nbsp;
Are you using "-w" option to write the output of tcpdump in a file ? &nbsp;
If you remove the option, it will be displayed in the stdout stream (terminal). &nbsp;
Please check following KB about tcpdump option link text&nbsp;
A common tcpdump command that I use is :&nbsp;
tcpdump -nni 0.0 -s0 -X host x.x.x.x and host y.y.y.y &nbsp;
Regards&nbsp;

samir_jha_52506 · Answer

Are you specific only to TCPDUMP or other option in F5. In TCPDUMP you can capture live packet, print on screen &amp; store in folder for later use.
Ex: tcpdump -nni 0.0:nnn -s0 host x.x.x.x and host y.y.y.y
it will show packet on screen.
@ tmsh show sys connection is the basic starting point, but if that's all you specify, you'll see all the connections - which is probably much more output than you want. You need to specify additional information about the endpoints you care about if you want to limit the output. 
cs-client-addr - the (client) source IP address on the clientside of the connection
cs-client-port - the (client) source port on the clientside of the connection
cs-server-addr - the (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address)
cs-server-port - the (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
ss-client-addr - the (client) source IP address on the serverside of the connection (i.e. the SNAT address)
ss-client-port - the (client) source port on the serverside of the connection (i.e. the SNAT port)
ss-server-addr - the (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
ss-server-port - the (server) destination port on the serverside of the connection (i.e., the Pool Member port)
You can mix/match these options as necessary to isolate the connections you are interested in. The more pieces of information you specify, the narrower your focus will be, and the smaller your output will become. So for example, this command would show me all connections from client 100.1.1.1, to any Virtual Server assigned address 10.1.1.0, that were load-balanced to Pool Member 192.168.1.1:9999: tmsh show sys conn cs-client-addr 110.x.x.x1 cs-server-addr 11.x.x.0 ss-server-addr 192.168.x.x ss-server-port 9090

ironman · Answer

Thanks ,&nbsp;
As i understood here , host x.x.x.x and host y.y.y.y&nbsp;
X source Client IP and Y  VIP IP for client side
X source VIP and Y Pool member for Server side&nbsp;
based on IP it will capture the traffic, am correct?&nbsp;

Forum Discussion

How to view TCPDump on LTM

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

8. SYN Cookie: Troubleshooting tcpdump

Decrypting TLS with the tcpdump sslprovider

Tcpdump Capture

decrypted tcpdump capture without using an iRule using tshark

tcpdump portrange option