Forum Discussion
tcpdump
What is the syntax for running a TCPdump.. I want to run a tcpdump on my LTM to identify SSL errors from client to server.
Would I run the following:
tcpdump src host x.x.x.x
How would I stop the tcp dump, and what additional filters can I use?
- Hamish
Cirrocumulus
Parameters to tcpdump are the same as any other Linux system. Because it's just a red-hat tcpdump at the base of it.
Normally I'd use something like
tcpdump -i -nn -e xx.xx.xx.xx and port 443
or similar.
However if your'e diagnosing SSL errors, then using ssldump may be of more use. ssldump accepts the same filter (The 'xx.xx.xx.xx and port 443' part) but you can give it the SSL certs being used at the server end (Which you have access to if you're running it on the same BigIP that's doing the SSL offloading) and then it will not only tell you the steps in the protocol, but will also decode any encrypted traffic as well.
There's an ssldump solution note available -> Overview of packet tracing with the ssldump utility
- Kevin_Stewart
Employee
The most concise resource for tcpdump might be: http://www.tcpdump.org/tcpdump_man.html, or simply "man" the BIG-IP command line:
man tcpdump
But to troubleshoot SSL-related errors, you'd probably be better off with ssldump. The syntax is similar but not quite the same as tcpdump. And you can find syntax information here: http://ssldump.sourceforge.net/ssldump-man.html, or again man it from the BIG-IP command line:
man ssldump
But to answer your question more directly, here's an example of a common ssldump command line:
ssldump -AdNn -i [VLAN] port 443 [and any additional filters]
where:
-A means to print all record fields -d means to display the application data traffic -N means to attempt to parse ASN.1 when it appears -n means to NOT not try to resolve host names (like -n in tcpdump) -i means the interface or VLAN to listen on (like -i in tcpdump) "port 443" is the first display filter. ssldump seems to need at least one display filter. [any additional filters] is any additional tcpdump-style capture filters that you might want to use.
- Stephan_Mierau
Employee
you could stop with ctrl +c the monitoring would be done with:
tcpdump -ni 0.0 -s0 -w file filter
0.0 means monitor on all interfaces, file could also be a director plus file eg /tmp/cap1.pcap; filter is the host, port, or combinations
if you deal with SSL/TLS problems write the capture to a file and the reanalyse with ssldump -r file
- falooda_281506
Nimbostratus
Thanks everyone!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com