Forum Discussion
Cirrostratustcpdump excluding monitor traffic
CirrostratusHi Stephan,
Thanks for explanation. I missed that external is used for -i. I am novice but already learned a bit about noise and p parameter :-) I am curious if -i external:nnnp will indeed catch full flow - both client and server side or just client side part? I had impression that to catch full flow 0.0 has to be used? As far as I understand, in case of using p parameter monitor traffic is automatically excluded, even if server ip is used for host parameter (let's say I do not know client IP or would like to catch all SNAT<->server traffic)
Considering your example, to get just server side traffic from the dump I still need to use tcpdump -r /dump.cap not host ? I assume that in case of reading dump file using -i is not necessary or it is?
Piotr
StephanMantheyNacreous
Hi Piotr, my example contains client- and serverside traffic but not the monitoring as it does not belong to the client initiated flow. If you specify the VIP as filter, you will get traffic of all clients including serverside traffic. You can apply filters when reading the raw dump on CLI. I prefer export to WireShark. Will go offline now. Thanks, Stephan- dragonflymrHi, Thanks a lot for pointing me to this great Wireshark article. It's really amazing how it simplifies analyzing F5 flows. Now I have to play around and use the trick to connect tcpdump output from VE to my Wireshark. Piotr
