Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

tcpdump portrange option

Go to solution
moog67_108621
Nimbostratus
Nimbostratus

‎14-Jul-2014 03:34

Hi everyone,

 

I'm trying to capture traffic directed to a certain range of tcp ports with tcpdump. When using the "portrange" expression I get a syntax error:

 

tcpdump -i -s0 -w capture_file.trc portrange 8080-8082 tcpdump: syntax error in filter expression

 

Is this expression supported on BIG-IP (1600 10.2.4 HF5)?

 

Thanks in advance, Regards.

 

moog67

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mimlo_61970
Cumulonimbus
Cumulonimbus

‎18-Jul-2014 07:21

try:

 

tcpdump -i SRV -s0 -w capture_file.trc port 8080 or port 8081 or port 8082

 

This worked for me, I saw traffic on all 3 ports in both directions in my dump. My only diff was the interface name.

 

This was on 10.2.4 HF5, tcpdump version 3.9.4, libpcap version 0.7.2

 

Again, no idea why portrange doesn't work, but I can confirm the same problem on this version.

 

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
adityoari_14383
Historic F5 Account

‎14-Jul-2014 04:43

is that the syntax you actually used? because it's missing the interface name

 

0 Kudos

Go to solution
moog67_108621
Nimbostratus
Nimbostratus
In response to adityoari_14383

‎14-Jul-2014 06:43

Ooops!! I guess it was a copy/paste issue... The actual syntax I'm using is: tcpdump -i SRV -s0 -w capture_file.trc portrange 8080-8082 Where SRV is the alias for the interface where the traffic is coming/going. I'm just interested in the traffic directed to TCP ports 8080,8081 and 8082. Thanks moog67
0 Kudos

Go to solution
mimlo_61970
Cumulonimbus
Cumulonimbus

‎14-Jul-2014 07:31

Weird, it definitely doesn't work on 10.2.4 the same way it works in 11. It seems to require another option like src or dst.

 

'src portrange 8080-8082 or dst portrange 8080-8082' appears to work.

 

0 Kudos

Go to solution
adityoari_14383
Historic F5 Account
In response to mimlo_61970

‎14-Jul-2014 20:20

I haven't look at the each versions yet, but I strongly suspect that v11 & v10.2.4 have different versions of tcpdump and/or libpcap, whose older versions haven't had the support for the "standalone" portrange filter
0 Kudos

Go to solution
moog67_108621
Nimbostratus
Nimbostratus
In response to mimlo_61970

‎18-Jul-2014 05:16

Hi everyone, Still no good for me, even with the above options the command does not work. Here's my version of tcpdump: [xxxxxxxxx:Active] log tcpdump --help tcpdump version 3.9.4 libpcap version 0.7.2 Could you please share the syntax of the command line you're using?, does it effectively work? Many thanks, moog67
0 Kudos

Go to solution
mimlo_61970
Cumulonimbus
Cumulonimbus

‎18-Jul-2014 07:21

try:

 

tcpdump -i SRV -s0 -w capture_file.trc port 8080 or port 8081 or port 8082

 

This worked for me, I saw traffic on all 3 ports in both directions in my dump. My only diff was the interface name.

 

This was on 10.2.4 HF5, tcpdump version 3.9.4, libpcap version 0.7.2

 

Again, no idea why portrange doesn't work, but I can confirm the same problem on this version.

 

0 Kudos

Go to solution
moog67_108621
Nimbostratus
Nimbostratus
In response to mimlo_61970

‎18-Jul-2014 23:33

Thanks mimlo!! It finally worked as I need it, I can see traffic on both directions as well. We'll be upgrading to 11.x in the short term , I'll give it another go then. Regards moog67
0 Kudos

Go to solution
Rebecca_Moloney
Community Manager
Community Manager
In response to mimlo_61970

‎07-Jun-2023 11:26

Glad you found a reply for this! Here's a few articles by tcpdump enthusiast @JRahm in case you (or anyone else) is interested: 

0 Kudos
Copyright © 2023 Khoros, LLC