Forum Discussion

moog67_108621's avatar
moog67_108621
Icon for Nimbostratus rankNimbostratus
Jul 14, 2014

tcpdump portrange option

Hi everyone,

 

I'm trying to capture traffic directed to a certain range of tcp ports with tcpdump. When using the "portrange" expression I get a syntax error:

 

tcpdump -i -s0 -w capture_file.trc portrange 8080-8082 tcpdump: syntax error in filter expression

 

Is this expression supported on BIG-IP (1600 10.2.4 HF5)?

 

Thanks in advance, Regards.

 

moog67

 

application delivery
LTM
management
performance
  • mimlo_61970's avatar
    mimlo_61970
    Jul 18, 2014

    try:

     

    tcpdump -i SRV -s0 -w capture_file.trc port 8080 or port 8081 or port 8082

     

    This worked for me, I saw traffic on all 3 ports in both directions in my dump. My only diff was the interface name.

     

    This was on 10.2.4 HF5, tcpdump version 3.9.4, libpcap version 0.7.2

     

    Again, no idea why portrange doesn't work, but I can confirm the same problem on this version.

     

  • adityoari_14383's avatar
    adityoari_14383
    Historic F5 Account
    Jul 14, 2014

    is that the syntax you actually used? because it's missing the interface name

     

    • moog67_108621's avatar
      moog67_108621
      Icon for Nimbostratus rankNimbostratus
      Jul 14, 2014
      Ooops!! I guess it was a copy/paste issue... The actual syntax I'm using is: tcpdump -i SRV -s0 -w capture_file.trc portrange 8080-8082 Where SRV is the alias for the interface where the traffic is coming/going. I'm just interested in the traffic directed to TCP ports 8080,8081 and 8082. Thanks moog67
  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Jul 14, 2014

    Weird, it definitely doesn't work on 10.2.4 the same way it works in 11. It seems to require another option like src or dst.

     

    'src portrange 8080-8082 or dst portrange 8080-8082' appears to work.

     

    • adityoari_14383's avatar
      adityoari_14383
      Historic F5 Account
      Jul 15, 2014
      I haven't look at the each versions yet, but I strongly suspect that v11 & v10.2.4 have different versions of tcpdump and/or libpcap, whose older versions haven't had the support for the "standalone" portrange filter
    • moog67_108621's avatar
      moog67_108621
      Icon for Nimbostratus rankNimbostratus
      Jul 18, 2014
      Hi everyone, Still no good for me, even with the above options the command does not work. Here's my version of tcpdump: [xxxxxxxxx:Active] log tcpdump --help tcpdump version 3.9.4 libpcap version 0.7.2 Could you please share the syntax of the command line you're using?, does it effectively work? Many thanks, moog67
  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Jul 18, 2014

    try:

     

    tcpdump -i SRV -s0 -w capture_file.trc port 8080 or port 8081 or port 8082

     

    This worked for me, I saw traffic on all 3 ports in both directions in my dump. My only diff was the interface name.

     

    This was on 10.2.4 HF5, tcpdump version 3.9.4, libpcap version 0.7.2

     

    Again, no idea why portrange doesn't work, but I can confirm the same problem on this version.