tcpdump of UDP traffic

Question

I'm running 9.3.1HF3. I've got a couple of proxy servers who stream RTSP over UDP from the Internet back to the clients. I'm trying to determine if I can capture this traffic with tcpdump. 
&nbsp;  
&nbsp; What I'm struggling with is that when I typically do a tcpdump, I'm looking for traffic inbound on the external interface. And in that case, I understand if there is no Virtual Server for this traffic, it is routed through the forwarding virtual server and I can't capture it. 
&nbsp;  
&nbsp; However in the case of this RTSP traffic, the source is our internal nodes. What I can't wrap my mind around is if I can capture that data when there is no Virtual Server listening for inbound traffic on the Internal interface. Can you even set up a Virtual Server listening for inbound traffic on the Internal interface - does that even make sense?

jrahm · Answer

If the traffic is traversing the LTM, even via a forwarding virtual server, it can be captured by tcpdump.  If you look at the tcpdump man page (man tcpdump from the cli) you get a list of all the possibilities.  For starters, you can look at the rtsp traffic (assumed default port) on the physical interface, or on a vlan interface: 
&nbsp;  
&nbsp; tcpdump -i 1.1 udp port 554 -s0 
&nbsp; tcpdump -i Internal udp port 554 -s0 
&nbsp;  
&nbsp; If you want to capture udp port 554 even on the internal loopbacks, you can use interface 0.0.  Any broadcast traffic in a vlan that the LTM participates will also be viewable via tcpdump. 
&nbsp;  
&nbsp; HTH

smp_86112 · Answer

Thank you citizen. I was able to confirm that I can capture traffic which is routed through a forwarding VS. Don't know what I was doing wrong before...

Forum Discussion

tcpdump of UDP traffic

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

F5 XC - UDP traffic

decrypted tcpdump capture without using an iRule and without using tshark

8. SYN Cookie: Troubleshooting tcpdump

UDP TCP Packet Duplication

Decrypting TLS with the tcpdump sslprovider