F5-TCPDUMP

TCPDUMP:
The tcpdump utility is a command line packet sniffer with many features and options.

Refer MAN page for more details:
#man tcpdump

Modifiers:
-n - disable name resolution
-nn disable name and service port resolutions
-i <if_number or vlan>
-c (count) number of packets to capture
-w write(save) the file
-r read the file
-s specify the amount of each packet to capture. use 0 for no limit.
-p capture for a specific flow and its related peer flow.


Example:
Log on to CLI and start capturing:

tcpdump -nni 0.0:nnn -s0 -c 100000 host <virtual_server_ip> or <pool_member_ip> or <pool_member_ip> or <pool_member_ip> -w /var/tmp/<working|non-working>.pcap

tcpdump -nni 0.0:nnn -s0 -c 100000 '(port 443 and host 192.168.1.100) or (port 80 and host 10.0.0.1 or 10.0.0.2 or 10.0.0.3)' -w /var/tmp/<working|non-working>.pcap

Note : To stop the capture, press CTRL-C.

To select an interface, use the -i flag, as follows:
tcpdump -i <interface>
tcpdump –i  <vlan>
For example:
tcpdump -i 2.1
tcpdump -i internal

Disabling name resolution(use the -n flag):

tcpdump -ni internal

To save the tcpdump output:
tcpdump -w <filename>
For example:
tcpdump -w dump1.bin
tcpdump >dump1.txt
tcpdump -w dump1.pcap

Reading tcpdump binary file output:
tcpdump -r <filename>
For example:
tcpdump -r dump1.bin

Filtering on a host address:
To view all packets that are
traveling to or from a specific IP address:
tcpdump host <IP address>
            traveling from a specific IP address:
tcpdump src host <IP address>
            traveling to a particular IP address:
tcpdump dst host <IP address>
            Same like for ports:
tcpdump port <port number>
tcpdump src port<port number>
tcpdump dst port <port number>

Combining filters with the 'and' operator:
tcpdump host 10.90.100.1 and port 80

:P Modifier:
The :p modifier produces large amounts of data and can cause significant resource utilization. This additional resource demand may cause poor performance or a system failure if the BIG-IP system is at high resource utilization. Use this modifier only with very specific filters.

Note: The :p modifier will continue to produce flow information for the life of the connection. Subsequent tcpdump captures will reveal flow information from previous tcpdump captures using the :p modifier if the connection is still active. To clear flow information from previous use, run the tcpdump command without the :p modifier, using a filter that matches no information in the flow, and ensure that some traffic has been received by the BIG-IP system for the flow.

tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host <Client IP>


Note: The :p modifier will continue to produce flow information for the life of the connection. Subsequent tcpdump captures will reveal flow information from previous tcpdump captures using the :p modifier if the connection is still active. To clear flow information from previous use, run the tcpdump command without the :p modifier, using a filter that matches no information in the flow, and ensure that some traffic has been received by the BIG-IP system for the flow.

Refer the below link for more information:

Link1-Basic
Link2-Advance

No comments:

Post a Comment

Subscribe to: Posts (Atom)