TCPDUMP Command

Question

Hi, I need a TCPDUMP command to capture traffic from end to end. 
Could you please tell me a TCPDUMP command to capture traffic coming to my virtual IP A.A.A.A from any client and going to a pool member B.B.B.B or C.C.C.C.&nbsp;

hannes_rapp · Answer

The incoming connection is terminated by BigIP, and BigIP initiates a second connection from itself to the pool members. You will need 2 dumps for this.
(vlan_810_cs and vlan_820_ss are exact names of my VLAN objects)
tcpdump -i vlan_810_cs dst A.A.A.A -nn -vvv -w /var/tmp/external.pcap
tcpdump -i vlan_820_ss dst B.B.B.B or C.C.C.C -nn -vvv -w /var/tmp/internal.pcap

hannes_rapp_162 · Answer

The incoming connection is terminated by BigIP, and BigIP initiates a second connection from itself to the pool members. You will need 2 dumps for this.
(vlan_810_cs and vlan_820_ss are exact names of my VLAN objects)
tcpdump -i vlan_810_cs dst A.A.A.A -nn -vvv -w /var/tmp/external.pcap
tcpdump -i vlan_820_ss dst B.B.B.B or C.C.C.C -nn -vvv -w /var/tmp/internal.pcap

crodriguez · Answer

In some cases, you can do this with one TCPDUMP command by using the "p" modifier on the VLAN name. For example, if A.A.A.A normally receives traffic on the VLAN named "external", and you want to capture both client-side traffic (from clients to A.A.A.A) and server-side traffic (to any of the pool members associated with the virtual server):
tcpdump -i external:p dst A.A.A.A ....

You can then add other TCPDUMP options as desired, such as those provided by Hannes above.

crodriguez · Answer

In some cases, you can do this with one TCPDUMP command by using the "p" modifier on the VLAN name. For example, if A.A.A.A normally receives traffic on the VLAN named "external", and you want to capture both client-side traffic (from clients to A.A.A.A) and server-side traffic (to any of the pool members associated with the virtual server):
tcpdump -i external:p dst A.A.A.A ....

You can then add other TCPDUMP options as desired, such as those provided by Hannes above.

p_k · Answer

You can try something like below. Self-IP in the below command can be self IP of a Vlan on your Big-IP or self-IP of Big-IP itself.&nbsp;
tcpdump -nni vlan:nnnp '(host A.A.A.A and port )' or '(host  and B.B.B.B)' or '(host  and C.C.C.C)' -s0 -vvv -W /var/tmp/capture.pcap&nbsp;
Ref--&gt; https://devcentral.f5.com/questions?pid=54715&nbsp;

Forum Discussion

TCPDUMP Command

Recent Discussions

F5 BOT DEFENSE AWAF blocked some legitimate browsers

Advice to partial rename uri path

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Submenus missing in ASM Security Tab

XC Bot defense question

Related Content

8. SYN Cookie: Troubleshooting tcpdump

Decrypting TLS with the tcpdump sslprovider

Power of tmsh commands using Ansible

Tcpdump Capture

Run tcpdump on event

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS