Forum Discussion

InquisitiveMai's avatar
Oct 25, 2022

tcpdump from client to VIP and Self Ip to Pool

What is the best way to capture traffic between 

client <--> VIP and Self IP <--->Pool Members

I tried tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address> -w  <file Location>

I captured packets with the the ip addresses above. How can we isolate or filter this traffic to identify which client side connection is associated which server side connection. Can we do something with the F5 ethernet trailer Low, Medium and High Details

3 Replies

    • InquisitiveMai's avatar
      Icon for Cirrus rankCirrus

      Thank you for your response. Because we are capturing traffic on any interface with  tcpdump -i 0.0 option, should not it capture all the traffic including poolmembers and self Ip. Why would we still need p option? I see that p option may cause some high resource utlization. Is there any significance to use p option? Can't we just use the client ip without the p option and add the VIP and pool members option like below and then filter it out with the flow from clientside associated to serverside


      tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address>



  • Hello,


    As Juergen_Mang said, the "P" option allows you to capture both sides.

    "you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end,"

    Besides show the traffic in the wireshark using the flow option to isolate traffic as you need.

    navigate to Statistics > Flow Graph, you will find an output similar to the below one that shows client side and server side:


    Mohamed Salah