Select Page

Troubleshoot BIG-IP Using Tcpdump

by | 31-May-2020 | ADC, F5, LTM

Applied version

  • BIG-IP LTM
    Focus on version 15.X, 14.X
    Less focus on earlier version

Tcpdump Basic Operation

 

(1) Selecting an Interface or VLAN

#tcpdump -i <interface>

Use -i option to select interface/VLAN, <interface> can be:

  • VLAN name: #tcpdump -i vlan_internal
    • (1) Limitation: above command does not capture/include the VLAN tag ID information inside the captured packets.
    • (2) Limitation: above command does not capture PVA accelerated traffic.
      • > Note: To determine whether your platform contains a PVA chip, use #tmsh show /sys hardware | grep -i pva
      • > To disable/enable PVA acceleration: Local Traffic > Profile > Protocol > FastL4 > [profile_name] > PVA Acceleration
  • TMM interface ID: #tcpdump -i 1.1
    • (1) Limitation: above command captures PVA-accelerated traffic, but the syntax results in a rate limit of 200 packets per second.
    • (2) Limitation: When you run tcpdump on an interface on a VIPRION system, you must run the tcpdump command on the same blade in which the interface belongs.
    • The command capture/includes the VLAN information inside the captured packets.
    • In addition, you can filter for a specific VLAN using the additional vlan <tag> syntax option.
      • #tcpdump -i 1.1 vlan 100
  • All TMM interfaces: #tcpdump -i 0.0
    • This does not capture traffic on the management interface. For management interface:
      • #tcpdump -i eth0
    • To capture traffic in a non-default route domain, use above command from default route domain.
      • > If you are inside non-default route domain shell (example rdsh 1), run “exit” command from tmos to exit from non-default route domain.
      • > Don’t use “rdsh 0” to exit from any non-default route domain, this will prevent tcpdump from capturing traffic.
    • Do not attempt to run tcpdump on an interface that contains a colon.
      • #tcpdump -i eth0:mgmt

 

(2) Additional Options For Viewing on Console Screen

Some important options to use when we like to print the output on console screen:

  • -nn: Do not use hostnames and service names (use IP address and port number)
  • -X: Display ASCII encoded output along with the default HEX encoded output
  • -e: Prints the link-level (L2 frame) header on each line
  • -vvv: Maximum verbosity for full protocol decode (printing on console screen)
    • Use -v when writing to a file with the -w option, this will print the number of packets captured in console.

 

(3) Saving Tcpdump Output To a File

You can save the tcpdump data to one of the following file formats:

  • A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump utility, as well as many other traffic analysis packages (Wireshark).
  • A text file that contains a subset of the full tcpdump data but is readable only as plain text.

 

Binary File

Some important options to use when we like to save the data to a binary file:

  • -W <file count value>
    • Sets the number of packet capture files that the utility collects before it rolls over and begins overwriting the oldest collected file.
    • -W 10 means create up to 10 files “<filename>1, <filename>2…<filename>10”
  • -s <bytes>: Limit the maximum size of packet (in bytes)
    • Packet can get truncated because of a limited snapshot length, use -s 100, it means capture size 100 bytes
    • Use -s 0 to capture full packets with maximum of 262,144 bytes, but it will show capture size 65,535 bytes
  • -C <file size>
    • Sets the maximum size of each packet capture file.
    • -C 100 means 100MB
  • -c <count>: Stop the process after receiving count packets
  • -w <filename>
    • Specifies the path and file name (/path/filename) where the utility saves packet capture files.
    • -w /var/tmp/test.pcap
  • The tcpdump utility does not print data to the console screen while it is capturing to a file.
  • To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command:
    • tcpdump -r <filename>
    • #tcpdump -r /var/tmp/test.pcap

 

Text File

To save the tcpdump output to a text file, type the following command:

  • tcpdump > <filename>
  • For example: #tcpdump > dump1.txt

 

(4) Filtering in Tcpdump

The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses, ports, and protocol types (ether, fddi, ip, arp, rarp, tcp, udp, icmp).

  • #tcpdump host 10.1.1.1
    • #tcpdump net 10.0.0.0/8
    • #tcpdump src host 10.1.1.1
    • #tcpdump dst host 10.2.2.2
  • #tcpdump port 80
    • #tcpdump src port any
    • #tcpdump dst port 80
    • #tcpdump tcp
    • #tcpdump tcp port 80
    • #tcpdump udp port 80
  • All ICMP packets but not “udp port domain unreachable”
    • tcpdump -ni 0.0 icmp and not ‘icmp[0] = 3’
    • tcpdump -ni 0.0 ‘icmp[0] != 3’
  • All ICMP packets but not “ICMP echo and ICMP reply”
    • tcpdump -ni 0.0 ‘icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply’
    • tcpdump -ni 0.0 ‘icmp[0] != 8 and icmp[0] != 0’
  • Packets that contain the SYN flag
    • #tcpdump ‘tcp[tcpflags] & (tcp-syn) != 0’
  • Packets that contain the RST flag
    • #tcpdump ‘tcp[tcpflags] & (tcp-rst) != 0’

K2289: Using advanced tcpdump filters

 

(5) Stopping the tcpdump utility

You can stop the tcpdump utility using the following methods:

  • If you run the tcpdump utility interactively from the command line, you can stop it by pressing the “Ctrl + C” key combination.

 

Run Tcpdump in background

You can include ‘&‘ at the end of syntax to run tcpdump session in the background:
#tcpdump -ni 0.0 tcp port 80 &

  • If you run the tcpdump utility in the background,
    • Return the tcpdump session to the foreground using: “fg”
    • To stop the session, press Ctrl + C.
  • If you run multiple instances of tcpdump utility in the background, you can terminate all instances at the same time by typing the following command:
    • killall tcpdump

 

(6) Combining tcpdump options

Following are examples of how to combine the tcpdump options to provide the most meaningful output:

    • tcpdump -evvvnni 0.0 -s0 host 10.1.1.10 and tcp port 443
    • tcpdump -ni 1.1 -c 100000 src host 172.16.101.20 and dst port 80 > dump1.txt
    • tcpdump -vni 0.0 -s0 -W 10 -C 100 -w /var/tmp/test.pcap
    • tcpdump -vni 0.0:nnnp -s0 -w /var/tmp/capture.pcap host 10.128.10.100 and not tcp port 22
      • Information about the “nnn” option is available in the Advanced Topic.
    • tcpdump -vni 0.0:nnnp -s0 -w /var/tmp/capture.pcap ‘host 100.111.222.50 or (host 100.11.12.99 and port 443)’
      • Your CLI terminal might reject this, copy to notepad first and re-type the single quote 

 

Common Tcpdump syntax

#tcpdump -vnni external -s0 -w /var/tmp/client-side.pcap host 10.1.1.100 and port 443

  • Capture client-side traffic
  • Filters on the virtual server’s IP address and port

 

#tcpdump -vnni internal -s0 -w /var/tmp/server-side.pcap host 192.168.22.33 and net 10.1.1.0/24 and port 443

  • Capture server-side traffic (in this case, SNAT is none)
  • Filter on the client IP address, the server subnet, and the port on which the servers are listening

 

#tcpdump -vnni 0.0:nnnp -s0 -w /var/tmp/app1.pcap ‘src host 10.2.2.2 or src host 10.2.2.3’ and dst host 10.1.1.100 and port 443

  • Capture client-side and server-side traffic for below filtered flow
  • Filters on the client IP addresses, the virtual server’s IP address and port
    • The filter matched with client-side traffic, but the server side will be captured also because of ‘p’ modifier

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *