Forum Discussion

falooda_281506's avatar
falooda_281506
Icon for Nimbostratus rankNimbostratus
Aug 30, 2016

tcpdump

What is the syntax for running a TCPdump.. I want to run a tcpdump on my LTM to identify SSL errors from client to server.

 

Would I run the following:

 

tcpdump src host x.x.x.x

 

How would I stop the tcp dump, and what additional filters can I use?

 

BIG-IP
security
TMSH
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 30, 2016

    Parameters to tcpdump are the same as any other Linux system. Because it's just a red-hat tcpdump at the base of it.

    Normally I'd use something like

    tcpdump -i  -nn -e xx.xx.xx.xx and port 443

    or similar.

    However if your'e diagnosing SSL errors, then using ssldump may be of more use. ssldump accepts the same filter (The 'xx.xx.xx.xx and port 443' part) but you can give it the SSL certs being used at the server end (Which you have access to if you're running it on the same BigIP that's doing the SSL offloading) and then it will not only tell you the steps in the protocol, but will also decode any encrypted traffic as well.

    There's an ssldump solution note available -> Overview of packet tracing with the ssldump utility

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 30, 2016

    The most concise resource for tcpdump might be: http://www.tcpdump.org/tcpdump_man.html, or simply "man" the BIG-IP command line:

    man tcpdump

    But to troubleshoot SSL-related errors, you'd probably be better off with ssldump. The syntax is similar but not quite the same as tcpdump. And you can find syntax information here: http://ssldump.sourceforge.net/ssldump-man.html, or again man it from the BIG-IP command line:

    man ssldump

    But to answer your question more directly, here's an example of a common ssldump command line:

    ssldump -AdNn -i [VLAN] port 443 [and any additional filters]

    where:

    -A means to print all record fields
-d means to display the application data traffic
-N means to attempt to parse ASN.1 when it appears
-n means to NOT not try to resolve host names (like -n in tcpdump)
-i means the interface or VLAN to listen on (like -i in tcpdump)

"port 443" is the first display filter. ssldump seems to need at least one display filter.

[any additional filters] is any additional tcpdump-style capture filters that you might want to use.
  • Stephan_Mierau's avatar
    Stephan_Mierau
    Icon for Employee rankEmployee
    Aug 30, 2016

    you could stop with ctrl +c the monitoring would be done with:

     

    tcpdump -ni 0.0 -s0 -w file filter

     

    0.0 means monitor on all interfaces, file could also be a director plus file eg /tmp/cap1.pcap; filter is the host, port, or combinations

     

    if you deal with SSL/TLS problems write the capture to a file and the reanalyse with ssldump -r file