Forum Discussion
smp_86112
Cirrostratus
Cirrostratustcpdump of UDP traffic
I'm running 9.3.1HF3. I've got a couple of proxy servers who stream RTSP over UDP from the Internet back to the clients. I'm trying to determine if I can capture this traffic with tcpdump.
What I'm struggling with is that when I typically do a tcpdump, I'm looking for traffic inbound on the external interface. And in that case, I understand if there is no Virtual Server for this traffic, it is routed through the forwarding virtual server and I can't capture it.
However in the case of this RTSP traffic, the source is our internal nodes. What I can't wrap my mind around is if I can capture that data when there is no Virtual Server listening for inbound traffic on the Internal interface. Can you even set up a Virtual Server listening for inbound traffic on the Internal interface - does that even make sense?
- JRahm
Admin
If the traffic is traversing the LTM, even via a forwarding virtual server, it can be captured by tcpdump. If you look at the tcpdump man page (man tcpdump from the cli) you get a list of all the possibilities. For starters, you can look at the rtsp traffic (assumed default port) on the physical interface, or on a vlan interface:
tcpdump -i 1.1 udp port 554 -s0
tcpdump -i Internal udp port 554 -s0
If you want to capture udp port 554 even on the internal loopbacks, you can use interface 0.0. Any broadcast traffic in a vlan that the LTM participates will also be viewable via tcpdump.
HTH 
smp_86112Thank you citizen. I was able to confirm that I can capture traffic which is routed through a forwarding VS. Don't know what I was doing wrong before...
