Tcpdump for tcp packet capture question

Question

Hi all &nbsp;
Recently , I am perform a packet capture with tcpdump at F5 for the application . &nbsp;
Base on the tcpdump , I saw the TCP handshake are completed and then follow with client send sync connection to server only .   I didn't see the server reply anything to client base on packet. &nbsp;
However , the messages transaction are completed and working properly.&nbsp;
I just wonder how can the message transaction are completed and success when I only saw client send sync connection to server only . &nbsp;
The tcpdump command run are tcpdump -s0 -ni 0.0 -w var/tmp/client/pcap&nbsp;
Can anyone enlightened me what shall the tcpdump command shall execute to see the entire traffic ? please see attached result which I use wireshark to filter client ip : 172.16.1.200&nbsp;

lee_sutcliffe · Answer

There's nothing wrong with your tcpdump syntax, you have used the -n 0.0 switch to listen on all interfaces. 
If you right click in Wirehshark on the first SYN and select 'Follow TCP Stream' do you see any TCP FIN messages?
Are you sure traffic is returning via the F5?
You can also add a -e switch to list which layer 2 VLAN each packet is seen on.

Forum Discussion

Tcpdump for tcp packet capture question

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

irule to enable http/2 acceleration

VS FORWARDING & ROUTE

Statistics ›› Analytics : HTTP : Overview

SNI Sites not taking correct certificate.

Related Content

Tcpdump Capture

decrypted tcpdump capture without using an iRule using tshark

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

8. SYN Cookie: Troubleshooting tcpdump

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS