For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bryan_T_'s avatar
Bryan_T_
Icon for Cirrus rankCirrus
Sep 06, 2017

bigip tcpdump of both sides

Can someone post an example of a tcpdump that captures botch client and server side of the connection? Usually I have to run on the front-side vlan, stop, then run another of the backend. We SNAT the...
application delivery
LTM
Ed_Summers's avatar
Ed_Summers
Icon for Nimbostratus rankNimbostratus
Sep 06, 2017

What version of TMOS are you running. If 11.2 or later, have a look at K13637.

The implementation of tcpdump on BIG-IP includes an argument to increase the 'noise level' which includes some great TMM information in the packet for troubleshooting. In addition, the 'p' argument will match and dump the server-side flow even if SNAT or OneConnect is in use.

As a quick example:

Client IP = 10.1.1.1 ; VIP = 192.168.100.10

tcpdump -nni 0.0:nnnp -s0 -X 'host 10.1.1.1 and host 192.168.100.10'

Or writing out to a file:

tcpdump -nni 0.0:nnnp -w /var/tmp/my_capfile.pcap 'host 10.1.1.1 and host 192.168.100.10'

Beware of the notes in the article about monitoring resource utilization of the system. My examples use interface 0.0. You may wish to specify the vlan instead. Use whatever other arguments you normally need for tcpdump, just providing examples of using the increased noise level and flow matching.