Forum Discussion

Ørjan's avatar
Ørjan
Icon for Nimbostratus rankNimbostratus
Feb 27, 2017

How to turn off tmm info in tcpdump

From what I read in https://support.f5.com/csp/article/K13637 you have to actively tell the F5 implementation of tcpdump to include additional information. I have the opposite problem that there always is additional info in the capture file. I get a first packet with information about the command I used, Big-IP version, hostname, BIG-IP platform and product name. In each packet the partition and virtual server path is included at the end. (Which causes wireshark to tag the packets with "ethernet frame check sequence incorrect") It is sometimes useful to send packet captures to external parties for troubleshooting and I would prefer this to not be included.

 

I use tcpdump as I normally do on other devices i.e. "tcpdump -i external -nn host 1.2.3.4 -w /path/ -s 0 -vv". The result is the same from tmsh, bash and regardless of which partition I have set the shell to. Should the capture file be "clean" in the sense that tcpdump will see it as a normal capture when you capture like this?

 

  • Hi, did you find out solution to this cause? Maybe this can explain me why I have packets corrupted on v11.6.1. I realized that some HTTP headers was corrupted due to wrong bits inserted to that packets.

     

    Thank you.

     

  • It is the -nn that adds the TMM info. The following I think should work and not insert tmm info:

    tcpdump -i external host 1.2.3.4 -w /path/ -s 0 -vv"
    
  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus

    It's the nnnp when joined with interface or vlan provides high level of tmm info.

     

    Ex: tcpdump -nni 0.0:nnnp....

     

    nnnp - Low, medium, High tmm details in the packet capture with specific traffic flow between peers.