Tcpdump is a command line packet analysis program for Linux operating systems. F5 BIG-IP runs on CentOS operating system. When packet analysis is needed to determine the problem at the time of the problem, it is important to capture packets with appropriate parameters and filters.
tcpdump Parameters
-D | Lists available interfaces. tcpdump -D |
-i | Filters according to the specified interface. tcpdump -i any |
-n | Turns off name resolution for hostname. tcpdump -ni any |
-nn | Turns off name resolution for hostname and port. tcpdump -ni any |
-X | Displays the output in ASCII and hex. tcpdump -X -nni any |
-c | Captures as many packets as the specified value. tcpdump -nni any -c 1000 |
-C | Captures packets up to the specified value in MegaBytes. tcpdump -nni any -C 50 |
-w | Writes the packet capture to the specified file. tcpdump -nni any -c 1000 -w /var/tmp/netsys.pcap |
-W | Creates packet capture file for the specified value. tcpdump -nni any -W 5 -C 50 -w /var/tmp/netsys.pcap |
-s0 | Captures full data packets. tcpdump -nni any -s0 -W 5 -C 50 -w /var/tmp/netsys.pcap |
-v | Displays the number of packets captured. tcpdump -nni any -w /var/tmp/netsys.pcap -v |
-e | Shows MAC addresses in packets. tcpdump -e -nni any |
tcpdump Filters
host | Captures incoming/outgoing packets from the specified IP address. tcpdump -nni any host 10.11.12.13 |
src host | Captures incoming packets from the specified port number. tcpdump -nni any src port 15015 |
dst host | Captures packets to the specified IP address. tcpdump -nni any dst host 10.11.12.13 |
port | Captures incoming/outgoing packets from the specified port number. tcpdump -nni any port 443 |
src port | Captures incoming packets from the specified port number. tcpdump -nni any src port 15015 |
dst port | Captures outgoing packets to the specified port number. tcpdump -nni any dst port 8080 |
net | Captures incoming/outgoing packets from the specified network. tcpdump -nni any net 192.168.34.0/24 |
src net | Captures incoming packets to the specified network. tcpdump -nni any src port 10.10.10.128/25 |
dst net | Captures outgoing packets from the specified network. tcpdump -nni any dst host 172.16.12.0/16 |
icmp | Captures ICMP packets. tcpdump -nni any icmp |
arp | Captures ARP packets. tcpdump -nni any arp |
tcpdump Operators
and | It captures packets by combining filters. tcpdump -nni any host 10.11.12.13 and port 8080 |
or | Captures packets based on any of the filters. tcpdump -nni any host 192.168.1.101 or host 192.168.1.102 or host 192.168.1.103 |
not | Captures packets outside of the specified filtering. tcpdump -nni any not net 10.0.0.0/8 |
F5 Specific tcpdump Parametereleri
:n | Low includes detail TMM information: – Ingress – Slot – TMM – Type – VIP – Port – Trunk tcpdump -nni 0.0:n -s0 -w /var/tmp/lowcapture.pcap |
:nn | Medium includes detailed TMM information: – Flow ID – Peer ID – RST Cause – Connflow Flags – Flow Type – HA Unit – Ingress Slot – Ingress Port – Priority tcpdump -nni 0.0:nn -s0 -w /var/tmp/mediumcapture.pcap |
:nnn | Includes high detail TMM information: – Peer IP Protocol – Peer VLAN – Peer Remote Address – Peer Local Address – Peer Remote Port – Peer Local Port tcpdump -nni 0.0:nnn -s0 -w /var/tmp/highcapture.pcap |
:p | Client-side and server-side packet captures (end-to-end) tcpdump -nni 0.0:nnnp -s0 host 10.11.12.13 -w /var/tmp/capture.pcap |
–f5 ssl | It contains the secret and random information for decrypting SSL packets: – Secret length – Early Traffic Secret – Client Handshake Traffic Secret – Server Handshake Traffic Secret – Client Application Traffic Secret – Server Application Traffic Secret – Client Random – Server Random tcpdump -s0 -nni 0.0:nnnp –f5 ssl host 192.168.1.34 and port 443 -vw /var/tmp/netsys-decrypt.pcap Not: tcpdump.sslprovider değişkeninin açık olması gerekir. tmsh modify sys db tcpdump.sslprovider value enable |
This Post Has 0 Comments