Forum Discussion
Nimbostratustcpdump with multiple pool members
For years I have always written my tcpdump expression to be client ip and list all pool members using an 'or' statement to capture the "whole" conversation like:
tcpdump -nni 0.0 host 1.1.1.1 or host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3
This requires you to filter for the stream number in wireshark so you can discard the extra pool members you did not talk to. My question is, is there a way to change to an 'and' statement here using brackets or something like:
tcpdump -nni 0.0 host 1.1.1.1 and (host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3)
This way you only see your stream and you have a much smaller file size to work with.
7 Replies
What_Lies_Bene1Cirrostratus
Yes, that should work, just wrap the whole expression in single quotes, as follows;
tcpdump -nni 0.0 'host 1.1.1.1 and (host 2.2.2.1 or host 2.2.2.2 or host 2.2.2.3)'- What_Lies_Bene1
More on expressions here btw: [http://packetpushers.net/masterclass-tcpdump-expressions/](More on expressions here btw: http://packetpushers.net/masterclass-tcpdump-expressions/)
Valentine_96813Hmmmm. tcpdump took this as a valid expression but it captures 0 packets. I used my own IPs to make a connection and could show the stream with show sys connection.
StephanMantheyNacreous
Perhaps you have OneConnect or a SNAT applied? The 2.x.x.x are your poolmembers? 1.x.x.x. is the client?- What_Lies_Bene1Could you post the connection table entries? Suitably redacted of course.
- Valentine_96813Yes, SNAT is applied the VIP I was using. Bad example.
- StephanManthey
F5 provides an additonal option on TCPDUMP. Look for the 'F5 Ethernet Trailer'. By adding 'noise' you will get some very useful information.
There is a bunch of AskF5 solutions: SOL13637, SOL411, SOL7227, SOL5564.
DevCentral has an article on the subject and provides the source code for the wireshark plugin / dissector.
