When working with F5 devices (and other networking devices as well) tcpdump is the best tool you can use for troubleshooting networking issues or getting an understanding of a particular traffic flow. To understand the basics of tcpdump will prove extremely helpful for your troubleshooting sessions.
TCPDUMP is the best tool you can use for troubleshooting networking issues
There are basically two main ways of running tcpdump, without saving the packet capture on a file (without the -w option) and the other is saving the packet capture on a .cap file using the -w option.
If you want to perform a quick check and see if the packets are going thru the device, but you don’t need to perform deep packet capture inspection then running tcpdump without -w option is fine.
However, if you are troubleshooting a difficult networking issue and you need to get a packet capture to later one perform packet analysis with a tool like Wireshark, then run tcpdump using the -w option. And most importantly, this will save the output in a binary file which you will need to get off the device and then open with Wireshark or a similar Network analysis tool.
Also if you need to provide the packet capture to F5 Support, they will ask you to use -w option to save the packet capture on a file and the -s0 option which indicates tcpdump to save the whole packet. This is a very important switch to use and is usually missed, resulting in a truncated packet capture which won’t be useful for network analysis.
Following are examples of commands used to run the tcpdump utility:
Selecting an Interface or VLAN
The tcpdump utility’s interface or -i option accepts only one option. This option may be a numbered interface or a named Virtual Local Area Network (VLAN).
To view traffic, use the -i flag as follows:
tcpdump -i
Here for example:
To view the traffic on a single specific interface:
tcpdump -i 2.1
To view the traffic on a specific VLAN called internal:
tcpdump -i internal
To view the traffic on the management interface:
tcpdump -i eth0
To view the traffic on all interfaces:
tcpdump -i 0.0
Important: Running tcpdump on interface 0.0 is not rate-limited and has the potential to create very large files. F5 recommends this option only when using filters to limit the size of the capture. Review the Filters section prior to using this option.
Running tcpdump on interface 0.0 with filters is the sure way of capturing all the packets for performing packet analysis. For example if you have packets coming on the ‘public’ VLAN and leaving on the ‘private’ VLAN, the proper way to capture both traffic flows is to use 0.0 interfaces and some filters. Just be sure you use filters to limit the amount of data captured and you run the tcpudmp only for the required amount of time to avoid capturing unnecessary packets which will increase the final packet capture.
Note: Do not attempt to run tcpdump on an interface that contains a colon.
For example:
eth0:mgmt
Disabling name resolution
By default, tcpdump attempts to look up IP addresses and use names, rather than numbers, in the output. The BIG-IP system must wait for a response from the DNS server, so the lookups can be time consuming and the output may be confusing.
To disable name resolution, use the -n flag as in the following examples:
tcpdump -n
tcpdump -ni internal
Saving tcpdump output to a file
To save the tcpdump output to a binary file, type the following command:
tcpdump -w
For example:
tcpdump -w dump1.bin
Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C.
Beginning in BIG-IP 11.2.0-HF3, 11.2.1-HF3, and 11.3.0, a pseudo header which includes the following parameters is added to the start of each binary tcpdump capture:
The tcpdump command syntax used, including all options
- Version of software
- Hostname of the system
- Platform ID
- Product
- Filters
The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses, ports, and tcp flags.
Filtering on a host address
To view all packets that are traveling to or from a specific IP address, type the following command:
tcpdump host
For example:
tcpdump -i 0.0 host 10.90.100.1
To view all packets that are traveling from a specific IP address, type the following command:
tcpdump src host
For example:
tcpdump -i 0.0 src host 10.90.100.1
To view all packets that are traveling to a particular IP address, type the following command:
tcpdump dst host
For example:
tcpdump -i 0.0 dst host 10.90.100.1
Filtering on a port
To view all packets that are traveling through the BIG-IP system and are either sourced from or destined to a specific port, type the following command:
tcpdump port
For example:
tcpdump -i 0.0 port 80
To view all packets that are traveling through the BIG-IP system and sourced from a specific port, type the following command:
tcpdump src port
For example:
tcpdump -i 0.0 src port 80
To view all packets that are traveling through the BIG-IP system and destined to a specific port, type the following command:
tcpdump dst port
For example:
tcpdump -i 0.0 dst port 80
Combining filters with the ‘and’ operator
You can use the and operator to filter for a mixture of output.
Following are some examples of useful combinations:
tcpdump -i 0.0 host 10.90.100.1 and port 80
tcpdump -i 0.0 src host 172.16.101.20 and dst port 80
tcpdump -i 0.0 src host 172.16.101.20 and dst host 10.90.100.1
Capturing packet data
The tcpdump utility provides an option that allows you to specify the amount of each packet to capture.
You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero).
For example:
tcpdump -i 0.0 -s0 src host 172.16.101.20 and dst port 80
Alternatively, you can specify a length large enough to capture the packet data you need to examine.
For example:
tcpdump -i 0.0 -s200 src host 172.16.101.20 and dst port 80
Suppressing hostname and port resolution
The tcpdump utility provides an option that allows you to specify whether IP addresses and service ports are translated to their corresponding hostnames and service names.
Since performing multiple name lookups during a packet capture may be resource intensive, you should disable name resolution while capturing on a busy system using the -n option.
For example:
tcpdump -i 0.0 -n src host 172.16.101.20 and dst port 80
Service port lookups incur less overhead than DNS-based name resolutions, but still are usually unnecessary while performing a capture. You can disable both name and service port resolution while performing a capture, by using the -nn option.
For example:
tcpdump -i 0.0 -nn src host 172.16.101.20 and dst port 80
Combining tcpdump options
This article contains the most essential tcpdump options. You will generally need to use most of the options in combination.
Following are examples of how to combine the tcpdump options to provide the most meaningful output:
tcpdump -nnni 0.0 -s0 -w dump-all.cap
(Capture everything on all VLANs, don’t use this on production without adding some extra filters, it can kill a device due to the load)
tcpdump -ni internal -s0 -w dump1.bin
(Capture everything on internal VLAN and save on binary file)
tcpdump -s0 -ni 2.1 host 10.90.100.1 and port 80
(Capture on interface 2.1 for IP address 10.90.100.1 and port 80)
tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt
(Capture on interface 1.10 for source IP addr 172.16.101.20 and destination port 80 and save on a text file)
tcpdump -s0 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162