Forum Discussion
Nimbostratustcpdump with route domains
i try to set up a LTM with route domains and i'm looking for a tcpdump command where i can see pakets in route domain 1. If i do a tcpdump -i i can't see any pakets i'm interested in.
Also when i do an ifconfig -a i do not see ip addresses from interfaces which are located in route domain 1. I only see the name of the VLAN which i set up in route domain 1 but whithout any IPv4 address.
Can anyone give me a hint?
THX
regards
Karsten
9 Replies
Josh_Hill_17083I think the "tcpdump -i vlan_name" command should do the job for you. This will capture all addresses on the vlan. Just use the name of the vlan on the routing domain.
If you want to write it out to a file use "tcpdump -i vlan_name -w /var/tmp/filename.dmp"
If you are filtering for a specific address, I think you may need to add the domain route specification, but not sure.
Cheers
Josh
karp_49260Hi Josh,
this is exact the command how it works when i use no route domains but with route domains i see nothing.
I do a ping from LB1 to LB2 in Vlan with name DMZ
Now i have the following commands running:
PING 172.27.50.6%1(172.27.50.6%1) 56 data bytes
64 bytes from 172.27.50.6%1: icmp_seq=0 ttl=64 time=1.89 ms
64 bytes from 172.27.50.6%1: icmp_seq=1 ttl=64 time=2.46 ms
64 bytes from 172.27.50.6%1: icmp_seq=2 ttl=64 time=1.01 ms
64 bytes from 172.27.50.6%1: icmp_seq=3 ttl=64 time=0.964 ms
64 bytes from 172.27.50.6%1: icmp_seq=4 ttl=64 time=1.46 ms
and in another window
tcpdump -i DMZ
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on DMZ, link-type EN10MB (Ethernet), capture size 108 bytes
01:13:55.375340 e8:04:62:4c:09:81 (oui Unknown) > 01:00:0c:cc:cc:cd (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
01:13:57.388561 e8:04:62:4c:09:81 (oui Unknown) > 01:00:0c:cc:cc:cd (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
But there is nothing to see from the icmp pakets.- Josh_Hill_17083I don't believe route domains affect the behaviour of the TCPDump, so what you seeing is unusual.
At first guess I would say DMZ is not in route domain 1, but you have obviously checked that.
Are you running the tcpdump on LB1 or LB2?
Cheers
Josh - karp_49260DMZ is set up in route domain 1 and also the destination ip 172.27.50.6. This is the ip from LB2 and i do the tcpdump and ping on LB1 (172.27.50.5)
But what i just noticed is that when i start the tcpdump before i start the ping i can see icmp pakets in the dump. If i start first the ping and then the tcpdump i see nothing. That's crazy! - nitass
Employee
i rarely run tcpdump on physical or vlan interface. usually i run it on 0.0.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/
anyway, i think it should show up. if i don't misremeber, it will be in ipv6 format.
cheer! This SOL below says to run a tcpdump on 0.0 and it captures all.
http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html
It is also important to note that you should not be in a non-default route domain. So to ensure you are in the default route domain run:
rdsh 0
and then run the tcpdump using the 0.0 interface, so that you capture on all vlans.
When using tcpdump to capture traffic in a non-default route domain, F5 recommends that you run the tcpdump command from the default route domain (route domain 0), and specify interface 0.0. For example, the following command captures traffic from all VLANs in all route domains when invoked from the default route domain: tcpdump -ni 0.0
See the full solution: SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP system http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html?sr=37712322
mplaksin_293271Running tcpdump in a route domain
Recommendations
When you use tcpdump to capture traffic in a non-default route domain, F5 recommends that you run the tcpdump command from the default route domain (route domain 0), and specify interface 0.0. Note: If you specify interface 0.0 when you run tcpdump, it captures traffic traversing all configured VLANs on the BIG-IP system.
For example, the following command captures traffic from all VLANs in all route domains when you invoke it from the default route domain:
tcpdump -ni 0.0
Limitations
The tcpdump utility does not capture traffic when you run it from a non-default route domain. For example, if you use the rdsh utility to change the shell to a non-default route domain and run the tcpdump command, it does not capture any traffic. To capture traffic, use the following command to change back to the default route domain: rdsh 0
You can then run the tcpdump -ni 0.0 command to capture all route domain traffic.
