Forum Discussion
jack_39736
Nimbostratus
Nimbostratustcpdump not showing all data
I have a test VIP that load balances to a single web server which I can connect to with no problem over port 80...I'm running version 10.0.1.
I turned up tcpdump to watch the traffic oome in and out on the F5 and it only shows a packet or two every couple of minutes no matter how many times I refresh the browser.
I have tried this same thing for other traffic and the F5 continues not to show all traffic through tcpdump.
The F5 device is not showing any errors on the interfaces, the memory is low and so is the connection count.
Can anyone shed some light on this problem?
thanks
Jack
20 Replies
jack_39736The tcpdump using the external host command didn't render any output at all.
I was able however, to get the pps throughput using NGenius and I'm at around 2000-3000 pps on the inside interface so this would probably expliain why tcpdump is performing so poorly. The thing is, the F5 that I'm testing on isn't even our production box that pushes alot more packets per second.....how do you troubleshoot this box with a broken tcpdump???
The reason I ask is that the F5 is a fairly new deploy for me and I am starting to get calls from the Windows crew that have machines behind VIPS on this box and they want me to troubleshoot their flows and I can't.....I'm I missing something here?
jack- hoolio
Cirrostratus
There isn't a limitation on tcpdump if you use the VLAN instead of the port number. Just make sure you're specifying the correct VLAN.
Aaron - jack_39736what is the correct syntax for tcpdump using the vlan?
thanks - hoolioJust the name of the VLAN as listed in 'b vlan list'.
Aaron - jack_39736Thanks Aaron.
This was the only way I can get it to partially work:
tcpdump -i 1.1 vlan 4094 | grep 172.21.61.3
and again, I'm back to the same spotty output - hoolioJust use the vlan name instead of the port for the interface (and remove the vlan 4094 tag):
tcpdump -i external host 172.21.61.3 -s 0 -l
replace external with the actual vlan name from 'b vlan list'.
Aaron - jack_39736THAT WORKS!
nice..I guess I had a pps issue that needed the exact syntax as you pointed out, Aaron.
I opened a case with F5 and they didn't provide me with any good information at all and never told me about a 200 pps limitation on tcpdump.
thanks again for all the help.
On another note, I really like those "b" commands that you suggested as I haven't done much with the command line.
Is there any chance you can give me a short list of your favorite command line commands that can be useful in troubleshooting?
thanks again
jack - hoolioGlad that's working for you. In v10 you have the new tmsh and existing bigpipe commands available. These are documented in the reference guides:
TMSH reference guide:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_tmsh_refguide.html
bigpipe reference guide:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/CLI_guide_943.html
Aaron 
Rafa_AyalaHello, I have a problem with my ltm, writing tcpdump -ni external port xxxx can not see any kind of traffic passing, I tried with filters and nothing written here .. just sometimes looks good dump, have some idea? thank you very much , sorry my English so bad
- Rafa_Ayala
Only with this command I see traffic :
tcpdump -X -vvv -nnei 1.3:nnn -s0 host X.X.X.X and port XXXX
