Full path TCPDump

Awesome, thanks for the responses gents.

from this sol: http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html

Beginning in BIG-IP 11.2.0, you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0:

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1

remember though that there is a limit on packet captures on interface, which i assume also goes for 0.0

see sol: http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html

Limitations

Running tcpdump on a switch interface is rate-limited to 200 packets per second. Therefore, if you run tcpdump on an interface that is processing more than 200 packets per second, the captured tcpdump file does not include all of the packets.

For example, the following command captures PVA-accelerated traffic, but the syntax results in a rate limit of 200 packets per second:

tcpdump -ni 

you could do the trace on all data interfaces with option "-i 0.0" and then have the proper host/traffic filter. To match the sessions between the client and server side (if the amount of traffic doesn't permit it), check the f5 wireshark plugin, that will facilitate it too: https://devcentral.f5.com/wiki/AdvDesignConfig.F5WiresharkPlugin.ashx