For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 11, 2015

tcpdump excluding monitor traffic

Hi,   Probably something obvious but I can't figure it out. Let's say: 1. We have standalone device. 2. There is only selfIP on internal (no floating as it's standalone) 3. Http VS has Automap set...
application delivery
availability
LTM
management
TMOS
uni's avatar
uni
Icon for Altocumulus rankAltocumulus
Feb 11, 2015

This has always been a pain. To help with this, I have try where possible to use a SNAT pool rather than automap. However, it's obviously too late for that now. You could do it with two passes through tcpdump. The first pass you capture traffic to the virtual IP and include the 😛 flag. You then filter the output of that to exclude the VS IP:

tcpdump -i external:nnnp -s0 -w - host 10.1.2.3 | tcpdump -r - -s0 not host 10.1.2.3

Or, probably more usefully, save the capture from the first command, and process it afterwards:

tcpdump -i external:nnnp -s0 -w /var/tmp/my.cap host 10.1.2.3
tcpdump -r /var/tmp/my.cap -s0 not host 10.1.2.3

That's off the top of my head, I haven't tested it. If it's not quite right, hopefully you get the idea.