Forum Discussion

atomicdog_7107's avatar
Icon for Nimbostratus rankNimbostratus
Mar 28, 2012

tcpdump using a free interface

Hey guys,



I'm wondering if it is possible to do a tcpdump on an interface that is not in use by LTM. so typically where you would set up ''tcpdump -i etc', I'm wanting to use an available interface on one of my BigIPs as sort of a capture server. For example 'tcpdump -i eth16'. Is there some way to trick tmm to let me see (and use) these interfaces? Thanks!


5 Replies

  • Do you want to run tcpdump on an interface which is connected to a peer but not configured in a VLAN? If it's not working for you, couldn't just you create a new VLAN and then dump on the interface number?



  • Not sure actually... I would have to test that, that might work. What I'm trying to do is have an interface (like eth16) in promiscuous mode, so that any traffic that ingresses the port (from a span port on a switch) will be captured. Usually you wouldn't have a VLAN associated with a port in promiscuous mode, but have a dummy VLAN there that isn't in use anywhere else might trick it as long as the LTM doesn't discard the traffic because there is no tag. Hmm... Lemme try your approach and see what happens :) I'll let you know shortly!
  • It doesn't work unfortunately. It makes sense that it wouldn't though... it is going to discard anything that isn't tagged for that fake VLAN. I really need to capture on the port itself. I'm sure that the interfaces are just hidden... you can see eth0 and capture on that, so it's just a matter of knowing how to access the other 'hidden' interfaces. Does anyone know?
  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    Mmm... Leaving aside hidden or not hidden (None of mine are hidden) that's not actually going to work very well. There's a strict limit on the number of packets per second (Umm.. 200pps IIRC) that will be relayed from the switch to the host when you're running tcpdump. It also has a detrimental effect on the performance of the unit, consuming quite a bit of CPU...



    You';d be better off using a real IDS/IPS device if that's what you're planning...



  • Hamish, if you do an ifconfig you see all of your interfaces on an LTM? like you see eth1, eth2, eth3 (or something similar)? Not just VLAN tags and eth0, which is mgmt? Can you copy that ifconfig here in a response...



    And you're saying that the LTM limits the pps?



    This isn't for an IPS, this is just for capturing packets on a neighboring switch at a remote location for troubleshooting purposes.