Tcpdump/wireshark question

Question

Good morning everyone,&nbsp;
We've got a capture traffic taken from an F5 (not sure which model, 11.2.x software release) to catch traffic coming/going to a virtual server configured with a FastL4 profile. 
When this capture is opened with Wireshark we randomly see bursts of "suspected" retransmissions on both client and server side of the F5. However the same capture taken in our server does not show any sequence being retransmitted. &nbsp;
See attached screenshot (source IP removed for confidentiality reasons):
&nbsp;
Is this effect due to tcpdump limitations or to the way Wireshark decodes the capture?&nbsp;
Thanks in advance,
moog67&nbsp;

what_lies_bene1 · Answer

Are you capturing on multiple interfaces? If the data is captured from both sides of the proxy its probably confusing Wireshark as its seeing every packet twice.&nbsp;

what_lies_bene1 · Answer

That'll be multiple interfaces then, just ignore the Wireshark error.
To capture on ALL interfaces use -i 0.0
For independent, per VLAN: -i vlanXXX
You might also want to capture the full packets using -s0

jrahm · Answer

New article on wireshark configuration for windows: https://devcentral.f5.com/articles/getting-started-with-the-f5-wireshark-plugin-on-windows&nbsp;

Forum Discussion

Tcpdump/wireshark question

3 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

rSeries Configuration Backup

Questions on Migrating configs from iSeries to RSeries F5s

AST Configuration help

reading Client SSL Profile details via Ansible

Raise your hand if you'll be at AppWorld 2026

Related Content

Decrypting tcpdumps in Wireshark without key files (such as when FIPS is in use)

UCS Encryption Question

Site Launch Frequently Asked Questions

F5 Connection Mirroring question

Health monitor question

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS