Forum Discussion
newf5learner
Nimbostratus
NimbostratusTCPDUMP with SNAT and '-p' usage
Hi,
I was reading about the tcpdump and various filters we can use in capturing the appropriate traffic.
came across the post @ https://devcentral.f5.com/questions/long-term-tcpdump
Assuming that I can capture the traffic from my server even if I have SNAT enabled, I have used option '-p' this is capture filter I have used.
tcpdump -ni 0.0:nnn -s0 -v -p host 10.20.20.29 and port 80 -w /var/tmp/test_sw.binI used wireshark to read the content of the file, but I couldn't find any details traffic of the traffic from my backend server. Is it possible to see the traffic from my backend server with the option -p
Am i missing something here ? or It will not show the traffic from my backend server as the IP is not included in the filter?
Stanislas_Piro2Cumulonimbus
Hi,
I never saw this thread and I learned something interesting...
In this thread, the p option is not
but append-p
in the stringp
:nnntcpdump -ni 0.0:nnnp -s0 -v host 10.20.20.29 and port 80 -w /var/tmp/test_sw.bin
IanBEmployee
You may wish to review SOL13637: Capturing internal TMM information with tcpdump which documents the interface modifiers, such as n,p, and h
Please note the warning about using the 'p' modifier:
Note: This modifier will continue to produce flow information for the life of the connection. Subsequent tcpdump captures will reveal flow information from previous tcpdump captures using the :p modifier if the connection is still active. To clear flow information from previous use, run the tcpdump command without the :p modifier using a filter that matches no information in the flow and ensure some traffic has been received by the BIG-IP system for the flow.