Forum Discussion

Cirrostratus

Feb 11, 2015

tcpdump excluding monitor traffic

Hi, Probably something obvious but I can't figure it out. Let's say: 1. We have standalone device. 2. There is only selfIP on internal (no floating as it's standalone) 3. Http VS has Automap set...

Altocumulus

Feb 11, 2015

This has always been a pain. To help with this, I have try where possible to use a SNAT pool rather than automap. However, it's obviously too late for that now. You could do it with two passes through tcpdump. The first pass you capture traffic to the virtual IP and include the 😛 flag. You then filter the output of that to exclude the VS IP:

tcpdump -i external:nnnp -s0 -w - host 10.1.2.3 | tcpdump -r - -s0 not host 10.1.2.3

Or, probably more usefully, save the capture from the first command, and process it afterwards:

tcpdump -i external:nnnp -s0 -w /var/tmp/my.cap host 10.1.2.3
tcpdump -r /var/tmp/my.cap -s0 not host 10.1.2.3

That's off the top of my head, I haven't tested it. If it's not quite right, hopefully you get the idea.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

tcpdump excluding monitor traffic

F5 AppWorld 2026 Registration - early bird pricing.

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SSO login for APM Profiles

smtp port vs 25 and pool member 587

Need F5 iRules Consultant - HTTP Header Manipulation Issues

What Certificates should be where? GSLB Trust Certificates vs Device Trusted Certificates

F5 Access Guard Deprecated: ZTA APM

Related Content

8. SYN Cookie: Troubleshooting tcpdump

Decrypting TLS with the tcpdump sslprovider

iRule exclude URI

Tcpdump Capture

tcpdump portrange option

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS