Tcpdump Capture

If the specific forwarding virtual is a Performance (Layer4) virtual and you have suitable hardware, then the connection may be shifted to the ePVA or PVA ASIC (on older hardware). This means that once the TCP handshake is complete and the flow is eligible for the Packet Velocity ASIC, the body of the flow is handled in the switch hardware itself and not in TMM.

K12837: Overview of the ePVA feature

If this is the case, then you need to either disable PVA for the profile on that virtual while you take the packet capture, or you need to capture on the interface/trunk (but this has a 200 packets per second restriction).

K6546: Recommended methods and limitations for running tcpdump on a BIG-IP system

-----

For systems containing a Packet Velocity ASIC (PVA), the tcpdump utility does not capture virtual server traffic that is fully accelerated by the PVA chip. The PVA resides on the switchboard, between the BIG-IP system's switch subsystem and the host motherboard. The chip processes accelerated traffic by accepting packets from the switch subsystem, transforming the packets to redirect them to the appropriate pool member, and then sending the packets back to the switch subsystem. Fully accelerated traffic never reaches the internal trunk and is not processed by TMM.

For example, the following command does not capture PVA accelerated traffic:

tcpdump -ni <vlan_name>

Note: To determine whether your platform contains a PVA chip, use the tmsh show /sys hardware |grep -i pva command for BIG-IP 11.0.0 and later, or the bigpipe platform |grep -i pva command for versions of BIG-IP that start with 9 and 10.

You can work around this limitation by temporarily disabling PVA acceleration for the FastL4 profile, capturing the traffic in a VLAN tcpdump and then re-enabling PVA acceleration for the FastL4 profile. To disable or enable PVA acceleration using the Configuration utility, navigate to Local Traffic > Profile > Protocol > FastL4 > [profile_name] > PVA Acceleration.

 -----