How to view TCPDump on LTM

Question

At present i run tcpdump command and get the log file from F5/root folder to download my system by using sftp and view the logs!&nbsp;
is there way i can see logs from tmsh command line  , live traffic flow between hosts.
Like Cisco products we do!  Where source and destination address and ports we can see&nbsp;
Thanks in advance&nbsp;

jad_tabbara__j1 · Answer

Hello, &nbsp;
Are you using "-w" option to write the output of tcpdump in a file ? &nbsp;
If you remove the option, it will be displayed in the stdout stream (terminal). &nbsp;
Please check following KB about tcpdump option link text&nbsp;
A common tcpdump command that I use is :&nbsp;
tcpdump -nni 0.0 -s0 -X host x.x.x.x and host y.y.y.y &nbsp;
Regards&nbsp;

samir_jha_52506 · Answer

Are you specific only to TCPDUMP or other option in F5. In TCPDUMP you can capture live packet, print on screen &amp; store in folder for later use.
Ex: tcpdump -nni 0.0:nnn -s0 host x.x.x.x and host y.y.y.y
it will show packet on screen.
@ tmsh show sys connection is the basic starting point, but if that's all you specify, you'll see all the connections - which is probably much more output than you want. You need to specify additional information about the endpoints you care about if you want to limit the output. 
cs-client-addr - the (client) source IP address on the clientside of the connection
cs-client-port - the (client) source port on the clientside of the connection
cs-server-addr - the (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address)
cs-server-port - the (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
ss-client-addr - the (client) source IP address on the serverside of the connection (i.e. the SNAT address)
ss-client-port - the (client) source port on the serverside of the connection (i.e. the SNAT port)
ss-server-addr - the (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
ss-server-port - the (server) destination port on the serverside of the connection (i.e., the Pool Member port)
You can mix/match these options as necessary to isolate the connections you are interested in. The more pieces of information you specify, the narrower your focus will be, and the smaller your output will become. So for example, this command would show me all connections from client 100.1.1.1, to any Virtual Server assigned address 10.1.1.0, that were load-balanced to Pool Member 192.168.1.1:9999: tmsh show sys conn cs-client-addr 110.x.x.x1 cs-server-addr 11.x.x.0 ss-server-addr 192.168.x.x ss-server-port 9090

ironman · Answer

Thanks ,&nbsp;
As i understood here , host x.x.x.x and host y.y.y.y&nbsp;
X source Client IP and Y  VIP IP for client side
X source VIP and Y Pool member for Server side&nbsp;
based on IP it will capture the traffic, am correct?&nbsp;

Forum Discussion

How to view TCPDump on LTM

Recent Discussions

F5 ASM CEF Sending Logs in Specific TimeZone

F5 looses the token for the first call

feature request: container egress service

did not show checkbox on chrome while access through f5

How do I create a traffic log for two different route domains?

Related Content

8. SYN Cookie: Troubleshooting tcpdump

Decrypting TLS with the tcpdump sslprovider

Tcpdump Capture

Packet Analysis with Scapy and tcpdump: Checking Compatibility with F5 SSL Orchestrator

tcpdump portrange option

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS