For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

TomSu_93471's avatar
TomSu_93471
Icon for Nimbostratus rankNimbostratus
Feb 01, 2012

Simultaneous tcpdump capture for two different physical intf 1.1 and 1.2

Hi,

 

 

need some help on tcpdump tracing topics. I want to trace two physicals 1.1 and 1.2

 

at the same time, but this seems not possible ?

 

1) one session goes ok:

 

 

[root@f5-1:Active] tmp tcpdump -s0 -ni 1.1:nnn -w /var/tmp/1.1.pcap tcpdump: listening on 1.1:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes

 

 

2) but the 2nd one fails soon after starting:

 

 

[root@f5-1:Active] tmp tcpdump -s0 -ni 1.2:nnn -w /var/tmp/1.2.pcap tcpdump: listening on 1.2:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes tcpdump: pcap_loop: Error: Interface packet capture busy

 

 

Trace on 0.0 works ok, however I don't see in there references to physical intf numbers, so it will be hard to see real traffic flow what is exactly what I need (STP BPDUs issue between Cisco and f5)

 

 

Any help on this topics appreciated,

 

Cheers

 

Tom

 

 

 

basic
getting started
new to f5

4 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 01, 2012
    I want to trace two physicals 1.1 and 1.2 at the same time, but this seems not possible ? no, it is not possible.

     

     

    Trace on 0.0 works ok, however I don't see in there references to physical intf numbers, so it will be hard to see real traffic flow what is exactly what I need (STP BPDUs issue between Cisco and f5)is source mac address not usable?
  • Naresh_15230's avatar
    Naresh_15230
    Historic F5 Account
    Feb 02, 2012
    1) Create vlan by associating interface like this

     

    [root@localhost:Active] config tmsh create net vlan int interfaces add { 1.1 }

     

    [root@localhost:Active] config tmsh create net vlan ext interfaces add { 1.2 }

     

     

    2) Now you can verify tcpdump for traffic in both the vlans simultaneously like this

     

    [root@localhost:Active] config tcpdump -ni /Common/int

     

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

     

    listening on /Common/int, link-type EN10MB (Ethernet), capture size 96 bytes

     

     

    In another session,

     

    [root@localhost:Active] config tcpdump -ni /Common/ext

     

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

     

    listening on /Common/ext, link-type EN10MB (Ethernet), capture size 96 bytes

     

  • Nick_Ehlers_132's avatar
    Nick_Ehlers_132
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2015

    this wont work then?

     

    1. system tcpdump –i (1.1, f5_trunk1, external, 0.0) –eXs 0 –w /var/tmp/dump.cap &
    2. system tcpdump –i (1.1, f5_trunk1, external, 0.0) –eXs 0 –w /var/tmp/dump2.cap &
    3. system fg
    4. ctl+c
    5. system fg
    6. ctl+c
    7. system tcpdump –r /var/tmp/dump.cap
    8. system tcpdump –r /var/tmp/dump2.cap

    ???????

     

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Mar 21, 2015

    Hi Nick,

     

    as far as I understand it´s not a matter of running the commands simultaneously.

     

    Instead it´s a matter of replicating traffic on a physical interface and a limitation of the chipset.

     

    By now I never saw it working on a switch based F5 BIG-IP.

     

    Thanks, Stephan