Forum Discussion

SanYang's avatar
SanYang
Icon for Cirrus rankCirrus
Feb 05, 2025

Strange phenomenon seen in the tcpdump

Hi All,

 

I grabbed a packet to find out the cause because there was a service outage, and I found that the connection is not connected to any virtual server, and the port is 0.67, but obviously there is no such port on the device, so why would this happen?

 

My device is i4800 ,and the service should be to forwarding type of virtual servers.

 

 

  • I understand the lack of understanding and don't have a direct answer.

    I would look further, try looking at another virtual server, how does the tcpdump output look there.

    Double check the IP address, try with the source instead of the destination. This looks like FTP, perhaps an FTP profile is somehow involved?

     

    And of course if you have a support contract reach out to F5 support, they can look at your full configuration and that makes things easier.

  • Hi Sanyang,

    The command you are using tcpdump -nnvvi 0.0 is Capturing internal TMM information with tcpdump.

    F5 TMM1 is a Traffic Management Microkernel (TMM) instance on a BIG-IP system. 
    TMM is a custom kernel that handles all traffic processing and routing on a BIG-IP system. 

    TMM typically runs multiple instances (e.g. tmm0, tmm1, tmm2, tmm3), and the DAG (disaggregator) distributes each flow to a particular tmm instance.

    It is the -nn that adds the TMM info. The following I think should work and not insert tmm info:

    tcpdump -i  external host 128.110.13.37 -w /path/ -s 0 -vv"

    Instead of using any interface 0.0 
    tcpdump -nnvvi 0.0


    you should use the specific interface of your concern.

    tcpdump -nnvvi <interface_number>

    It's the nnnp when joined with interface or vlan provides high level of tmm info.

     

    Ex: tcpdump -nni 0.0:nnnp....

     

    nnnp - Low, medium, High tmm details in the packet capture with specific traffic flow between peers.


    If the specified interface is a member of a trunk, tcpdump captures all traffic flowing through the trunk, not just the traffic traversing the specified interface.


    Note: When you run tcpdump on a member of a trunk interface on a platform with no switch, such as the 2000/4000 (C112/C113) series, the resulting capture may be missing some incoming packets. If you want to avoid this, use the full trunk name or a VLAN name to perform a capture.

    When you run tcpdump on an interface on a VIPRION system, you must run the tcpdump command on the same blade in which the interface belongs. For example, if you are logged into blade 1 and you want to run tcpdump on interface 2/2.1, you must log into blade 2 before running the tcpdump command.


    On i2600/i2800 and i4600/i4800 platforms (C117/C115) it is not possible to perform a tcpdump capture on individual physical interfaces.  A tcpdump on these platforms will perform a full TMM capture - interface 0.0.  Care should be taken to ensure  appropriate filters are used to limit capture data.


    Timestamp resolution is low (circa 0.2 seconds) on interface captures. Bcm56xxd uses its internal timestamp which is only synced periodically.  When multiple packets arrive to bcm56xxd in a single poll cycle, they will all have the same timestamp.

     

    Running tcpdump on an interface

    -- Simultaneous capture on all trunk members, or running a command similar to the following: 
    tcpdump -i <trunk interface>


    -- Use the following command if you want traffic on a VLAN that has a trunk as its interface:
    tcpdump -i <vlan>
    This captures packets on all members of the trunk. 

    -- Use the following command if you want all traffic on all members (not just a VLAN on the trunk):
    tcpdump -i <trunk interface>
    This captures all traffic on the trunk. 

    -- Use the following command to captures all packets including incoming packets on trunks to virtual servers:
    tcpdump -i 0.0

    Recommendations

    F5 recommends that you run only a tcpdump on an interface in the BIG-IP system when performing basic connectivity troubleshooting. When you run tcpdump on an interface, the packet is copied on a switch ingress to the Switch Card Control Processor (SCCP) or Always-On Management (AOM), which then sends the packet to the host to be captured by tcpdump.

    When you run tcpdump on interface 0.0, it is not rate-limited like running tcpdump on a hardware switch interface. When you capture traffic on interface 0.0, it has the potential to create very large files. F5 only recommends running tcpdump on interface 0.0 for troubleshooting when you are filtering to limit the size of the capture.
    Limitations

    When you run tcpdump on a hardware switch interface, it is rate-limited to 200 packets per second. Therefore, if you run tcpdump on an interface that is processing more than 200 packets per second, the captured tcpdump file does not include all of the packets.

     

    You need a method to validate the packet transmitted onto the wire from Trunk interface on the BIG-IP system include or exclude VLAN tag ID according to the VLAN interface defined. However, it is noticed the tcpdump is capturing VLAN tag ID information for both untagged and tagged VLAN interface. VLAN ID 1 is the untagged interface.

    tcpdump -nnei 3.0 icmp

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 3.0, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:07:27.539054 f4:15:63:51:ba:04 > 00:01:d7:d0:a1:84, ethertype 802.1Q (0x8100), length 142: vlan 1, p 0, ethertype IPv4, 10.1.1.1 > 10.1.1.2: ICMP echo request, id 31733, seq 1, length 64 out slot1/tmm1 lis= port=0.41 trunk=trunk_list
    20:07:36.415012 f4:15:63:51:ba:05 > 00:01:d7:d0:a1:83, ethertype 802.1Q (0x8100), length 142: vlan 1111, p 0, ethertype IPv4, 10.6.6.1 > 10.6.6.2: ICMP echo request, id 31752, seq 1, length 64 out slot1/tmm0 lis= port=0.35 trunk=trunk_list
     
     
     Check if there is any Asymetric Routing:

    VLAN Group and Asymmetric Deployment | DevCentral

     

    K74082037: How to sniff trunk interface that includes untagged and tagged VLAN traffic

    https://my.f5.com/manage/s/article/K74082037

    https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab03.html

     
     
     The enhanced tcpdump utility can capture extra details, such as what virtual server and what TMM is handling a specific sample of traffic.

    The noise amplitude defines the level of TMM details included in the packet capture. The following noise levels may be captured:

    n: Low details
    nn: Low and medium details
    nnn: Low, medium, and high details

    Note: Starting in BIG-IP 14.1.0, when you capture traffic using tcpdump with the --f5 n option, the tcpdump noise modifier defaults to high noise, which is equivalent to the syntax that has a noise amplitude of nnn specified after the interface.

    To check what the different noise levels include , you can refer to the following article

    https://my.f5.com/manage/s/article/K13637

     

    https://my.f5.com/manage/s/article/K74082037

    K74082037: How to sniff trunk interface that includes untagged and tagged VLAN traffic


    https://my.f5.com/manage/s/article/K7227

    K7227: Considerations when using the tcpdump utility with tagged VLAN traffic

     

     

     

    Kindly rate if it helps.

    HTH

    F5 Design Engineer.

  • If you are using vCMP and doing the tcpdump from the quest then maybe this is the virtual connection from the quest to host as this virtual interfaces are named 0.x  https://my.f5.com/manage/s/article/K03740927  

     

    Other than that "tmsh show /net interface -hidden" may show it (iSeries have internal interfaces to the bc switch inside F5) if it is not vCMP but the format seems like vCMP.

     

    example:

     

    Interface flapping on internal, non-physical interface

     

    Better as it was already mentioned to focus on the interface or vlan that you want to capture traffic as in F5 the vlan name can also be used as an interface 😉