Hi Piotr,
in the tcpdump expample provided by
uni you will notice the usage of "-i" parameter to determine the interface.
F5 has added some options to improve tracking traffic.
Using interface 0.0 allows capturing traffic internally on all VLANs.
The internal capture allows in addition the use of the "noise" flags, "nnn".
Last but not least there is the "p" flag for interface definition to capture peer traffic.
With the "p" flag you can set a filter on a clientside parameter, i.e. client IP or virtual server IP and the trace will include the related serverside traffic as well, SNATed or not. No worries about filtering out the monitoring traffic.
Uni has also added the "-s" parameter for packet size specification. Set it to "0" to capture the full packet length. This will be necessary to dump the internal ethernet trailer information (aka "noise").
To decode the "noise" in WireShark you may want to download the
WireShark Plugin provided by F5.
So the tcpdump would look like this:
tcpdump -i 0.0:nnnp -s 0 -w /var/tmp/mytrace.cap host
This kind of trace will contain the serverside traffic as well. Feel free to add filters according to your specific needs.
Thanks, Stephan