F5 packet capture CLI

F5 offers the capacity for packet capture by use of tcpdump command. In version 10.x, F5 doesn’t support you to perform tcpdump in the non-default route domain.

F5 recommends that you run the tcpdump command from the default route domain (route domain 0), and specify interface 0.0 as below:

tcpdump -s0  -w /var/tmp/WOI1.pcap -fnni 0.0:nnn  host x.x.x.x (x.x.x.x works as a filter which match the source IP or destination IP of a packet)

In addition, F5 has a CLI for SSL traffic capture which is good for the analysis of SSL traffic

ssldump -aAden -N -r <dump file> -k <key file> >> /var/tmp/<output file>



In BigIP version 13.1, you can do the following like other linux

[root@bigip1:Active:In Sync] config # tcpdump -i 1.3 -w hsm.pcap
tcpdump: listening on 1.3, link-type EN10MB (Ethernet), capture size 65535 bytes
^C297 packets captured
297 packets received by filter
0 packets dropped by kernel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s