Non-Diagnostic
Topic
The tcpdump utility is a command line packet sniffer with many features and options. For a full description,
refer to the tcpdump man pages by typing the following command:
man tcpdump
The tcpdump utility's interface or -i option accepts only one option. This option may be a numbered interface
or a named Virtual Local Area Network (VLAN).
tcpdump -i <option>
For example:
To view the traffic on a single specific interface:
tcpdump -i 2.1
tcpdump -i internal
tcpdump -i eth0
tcpdump -i 0.0
Important: Running tcpdump on interface 0.0 is not rate-limited and has the potential to create very large
files. F5 recommends this option only when using filters to limit the size of the capture. Review the Filters
section prior to using this option.
For example:
eth0:mgmt
By default, tcpdump attempts to look up IP addresses and use names, rather than numbers, in the output.
The BIG-IP system must wait for a response from the DNS server, so the lookups can be time consuming
and the output may be confusing.
tcpdump -n
You can save the tcpdump data to one of the following file formats:
A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump
utility as well as many other traffic analysis packages.
A text file that contains a subset of the full tcpdump data, but is readable only as plain text.
When working with F5 Technical Support, you must provide the tcpdump output in the binary file format. For
information about transferring the file output from an F5 system, refer to K175: Transferring files to or from
an F5 system.
Binary file
To save the tcpdump output to a binary file, type the following command:
tcpdump -w <filename>
For example:
tcpdump -w dump1.bin
Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture,
press CTRL-C.
Text file
To save the tcpdump output to a text file, type the following command:
For example:
To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the
following command:
tcpdump -r <filename>
For example:
tcpdump -r dump1.bin
In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would if
it were reading from the network interface. As a result, you can use formatting commands and filters.
Beginning in BIG-IP 11.2.0-HF3, 11.2.1-HF3, and 11.3.0, a pseudo header which includes the following
parameters is added to the start of each binary tcpdump capture:
Filters
The tcpdump utility allows you to use filters to, among other things, restrict the output to specified
addresses, ports, and tcp flags.
Filtering on a host address
To view all packets that are traveling to or from a specific IP address, type the following command:
For example:
To view all packets that are traveling from a specific IP address, type the following command:
For example:
To view all packets that are traveling to a particular IP address, type the following command:
For example:
Filtering on a port
To view all packets that are traveling through the BIG-IP system and are either sourced from or
destined to a specific port, type the following command:
For example:
tcpdump port 80
To view all packets that are traveling through the BIG-IP system and sourced from a specific port,
type the following command:
For example:
To view all packets that are traveling through the BIG-IP system and destined to a specific port, type
the following command:
To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the
following command:
To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the
following command:
You can use the and operator to filter for a mixture of output.
The tcpdump utility provides an option that allows you to specify the amount of each packet to capture.
You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the
entire packet, use a value of 0 (zero).
For example:
Alternatively, you can specify a length large enough to capture the packet data you need to examine.
For example:
If you are using the tcpdump utility to examine the output on the console during capture or by reading from
an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with
the default HEX encoded output.
For example:
tcpdump -r dump1.bin -X src host 172.16.101.20 and dst port 80
The tcpdump utility provides an option that allows you to specify whether IP addresses and service ports
are translated to their corresponding hostnames and service names.
Since performing multiple name lookups during a packet capture may be resource intensive, you should
disable name resolution while capturing on a busy system using the -n option.
For example:
Service port lookups incur less overhead than DNS-based name resolutions, but still are usually
unnecessary while performing a capture. You can disable both name and service port resolution while
performing a capture, by using the -nn option.
For example:
This article contains the most essential tcpdump options. You will generally need to use most of the options
in combination.
Following are examples of how to combine the tcpdump options to provide the most meaningful output:
tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt
tcpdump -Xs200 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162
Supplemental Information
K6546: Recommended methods and limitations for running tcpdump on a BIG-IP system
K4714: Performing a packet trace and providing the results to F5 Technical Support
K10319: Using the tcpdump utility disables hardware checksum offloading
Applies to:
Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-
IP Edge Gateway, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP
WebAccelerator, BIG-IP WOM
14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.3, 11.6.2, 11.6.1, 11.6.0,
11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.3.0, 11.2.1, 11.2.0, 11.1.0,
11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.6.1, 9.6.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5,
9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2, 9.2.0, 9.1.3, 9.1.2, 9.1.1, 9.1.0