For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 11, 2015

tcpdump excluding monitor traffic

Hi,   Probably something obvious but I can't figure it out. Let's say: 1. We have standalone device. 2. There is only selfIP on internal (no floating as it's standalone) 3. Http VS has Automap set...
application delivery
availability
LTM
management
TMOS
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 11, 2015

Hi Stephan,

 

Thanks for explanation. I missed that external is used for -i. I am novice but already learned a bit about noise and p parameter :-) I am curious if -i external:nnnp will indeed catch full flow - both client and server side or just client side part? I had impression that to catch full flow 0.0 has to be used? As far as I understand, in case of using p parameter monitor traffic is automatically excluded, even if server ip is used for host parameter (let's say I do not know client IP or would like to catch all SNAT<->server traffic)

 

Considering your example, to get just server side traffic from the dump I still need to use tcpdump -r /dump.cap not host ? I assume that in case of reading dump file using -i is not necessary or it is?

 

Piotr

 

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 12, 2015
Hi, Thanks a lot for pointing me to this great Wireshark article. It's really amazing how it simplifies analyzing F5 flows. Now I have to play around and use the trick to connect tcpdump output from VE to my Wireshark. Piotr