Forum Discussion

newf5learner's avatar
Icon for Nimbostratus rankNimbostratus
Aug 19, 2016

TCPDUMP with SNAT and '-p' usage


I was reading about the tcpdump and various filters we can use in capturing the appropriate traffic.

came across the post @

Assuming that I can capture the traffic from my server even if I have SNAT enabled, I have used option '-p' this is capture filter I have used.

tcpdump -ni 0.0:nnn -s0 -v -p host and port 80 -w /var/tmp/test_sw.bin

I used wireshark to read the content of the file, but I couldn't find any details traffic of the traffic from my backend server. Is it possible to see the traffic from my backend server with the option -p

Am i missing something here ? or It will not show the traffic from my backend server as the IP is not included in the filter?

2 Replies

  • Hi,

    I never saw this thread and I learned something interesting...

    In this thread, the p option is not

    but append
    in the string

    tcpdump -ni 0.0:nnnp -s0 -v host and port 80 -w /var/tmp/test_sw.bin
  • You may wish to review SOL13637: Capturing internal TMM information with tcpdump which documents the interface modifiers, such as n,p, and h


    Please note the warning about using the 'p' modifier:


    Note: This modifier will continue to produce flow information for the life of the connection. Subsequent tcpdump captures will reveal flow information from previous tcpdump captures using the :p modifier if the connection is still active. To clear flow information from previous use, run the tcpdump command without the :p modifier using a filter that matches no information in the flow and ensure some traffic has been received by the BIG-IP system for the flow.