Forum Discussion

Bryan_T_'s avatar
Sep 06, 2017

bigip tcpdump of both sides

Can someone post an example of a tcpdump that captures botch client and server side of the connection? Usually I have to run on the front-side vlan, stop, then run another of the backend. We SNAT the source so it can't be based on the client-ip.

 

thanks,

 

1 Reply

  • What version of TMOS are you running. If 11.2 or later, have a look at K13637.

    The implementation of tcpdump on BIG-IP includes an argument to increase the 'noise level' which includes some great TMM information in the packet for troubleshooting. In addition, the 'p' argument will match and dump the server-side flow even if SNAT or OneConnect is in use.

    As a quick example:

    Client IP = 10.1.1.1 ; VIP = 192.168.100.10

    tcpdump -nni 0.0:nnnp -s0 -X 'host 10.1.1.1 and host 192.168.100.10'

    Or writing out to a file:

    tcpdump -nni 0.0:nnnp -w /var/tmp/my_capfile.pcap 'host 10.1.1.1 and host 192.168.100.10'

    Beware of the notes in the article about monitoring resource utilization of the system. My examples use interface 0.0. You may wish to specify the vlan instead. Use whatever other arguments you normally need for tcpdump, just providing examples of using the increased noise level and flow matching.