TCPDUMP is a utility to capture the data packets in linux based systems, below mentioned are the TCPDUMP commands in F5 load balancer

1.) View the traffic on all F5 interfaces excluding management

tcpdump -i 0.0

2.) View the traffic on specific F5 Interface

tcpdump -i <interface-number> // tcpdump -i 2.1

3.) View the traffic on F5 management interface

tcpdump -i eth0

4.) View the traffic on F5 interface with disabled name resolution (By Default F5 perform name resolution on tcpdump)

tcpdump -ni 2.1

5.) capturing the tcpdump data in wirehshark file

tcpdump -i eth0 -w /var/tmp/test.pcap

6.) View the traffic on specific IP

tcpdump host x.x.x.x

7.) View the traffic on specific source IP

tcpdump src host x.x.x.x

8.) View the traffic on specific destination IP

tcpdump dst host x.x.x.x

9.) View the traffic on specific port

tcpdump port <port-number>

10.) tcpdump on specific destination port

tcpdump dst port <Port-number>

11.) View all packets with SYN flag

tcpdump ‘tcp[tcpflags] & (tcp-syn) != 0’

12.) View the packets with RST flag

tcpdump ‘tcp[tcpflags] & (tcp-rst) != 0’

13.) View the packet with and operator

tcpdump host <IP> and port <Port-Number>

tcpdump src host <IP> and dst port <Port-Number>

tcpdump src host <IP> and dst host <IP>

14.) View the specific amount of each pakcet (0 means capture whole packet)

tcpdump -s0 host <Host-IP>

15.) View Client to F5 and F5 to server traffic simultaneously

tcpdump -ni 0.0:nnn -s0 host <VIP-IP> and port <VIP-Port> -c 75000 -w /var/tmp/expernal.cap & tcpdump -ni 0.0:nnn -s0 ‘(host <Pool-member-IP> or host <Pool-member-IP>)’ and port <Pool-port> -c 75000 -w /var/tmp/internal.cap

16.) View Client to F5 and F5 to server with 2 different ports traffic simultaneously

tcpdump -ni 0.0:nnn -s0 host and port -c 75000 -w /var/tmp/expernal.cap & tcpdump -ni 0.0:nnn -s0 ‘(host or host )’ and ‘(port 443 or 8443))’ -c 75000 -w /var/tmp/internal.cap

17.) To kill all TCPDUMP session

killall tcpdump

18.) View all running tcpdump

jobs

I hope the article will be helpful to you to run tcpdump on F5 while troubleshooting !! Good Luck !!

5 1 vote
Article Rating
tcpdump on F5 load balancer
Tagged on:                     
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Huw
Huw
2 years ago

use :p switch on interface (e.g. 0.0:p) to see peer connection – no need for multiple instances of tcpdump or complex filters.

0
Reply
wpdiscuz   wpDiscuz
1
0
Would love your thoughts, please comment.x
()
x

Discover more from NetworkSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading