Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 11, 2015

tcpdump excluding monitor traffic

Hi,   Probably something obvious but I can't figure it out. Let's say: 1. We have standalone device. 2. There is only selfIP on internal (no floating as it's standalone) 3. Http VS has Automap set...
application delivery
availability
LTM
management
TMOS
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 11, 2015

Hi Stephan,

 

Thanks for explanation. I missed that external is used for -i. I am novice but already learned a bit about noise and p parameter :-) I am curious if -i external:nnnp will indeed catch full flow - both client and server side or just client side part? I had impression that to catch full flow 0.0 has to be used? As far as I understand, in case of using p parameter monitor traffic is automatically excluded, even if server ip is used for host parameter (let's say I do not know client IP or would like to catch all SNAT<->server traffic)

 

Considering your example, to get just server side traffic from the dump I still need to use tcpdump -r /dump.cap not host ? I assume that in case of reading dump file using -i is not necessary or it is?

 

Piotr

 

StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Feb 12, 2015
Hi Piotr, my example contains client- and serverside traffic but not the monitoring as it does not belong to the client initiated flow. If you specify the VIP as filter, you will get traffic of all clients including serverside traffic. You can apply filters when reading the raw dump on CLI. I prefer export to WireShark. Will go offline now. Thanks, Stephan