This page is simply to provide quick and dirty notes for performing standard packet captures on F5 appliances. I use these fairly often and needed a place for quick reference. Always refer to vendor documentation for more detail.
F5 utilizes tcpdump for packet captures. You need to be in bash when running tcpdump. If your SSH session is dropping you in tmos shell, go ahead and move over to the bash shell:
run /util bash
Here are some tcpdump examples:
-s0 = Capture entire packet (change 0 to some other number to slice packets) -nn = Disables name lookups for host and port -i = interface (0.0 means all interfaces) -v = verbose -l = buffered -X = Print hex and ascii format
# Print straight to the screen, don't slice packets tcpdump -nni 0.0 -X -s0 host X.X.X.X and port 80 and host Y.Y.Y.Y # Capture filter to a file tcpdump -v -l -s0 -nni 0.0 host X.X.X.X or host Y.Y.Y.Y or icmp or arp -w /var/tmp/cap1.pcap # Specific 1.1 interface, only sourced packets tcpdump -v -l -s0 -nni 1.1 src host X.X.X.X -w /var/tmp/cap1.pcap
Stream TCPdump from the F5 directly to Wireshark
Yes, you can actually use Wireshark directly when performing packet capture on an F5, just make sure you have solid filters setup beforehand.
The examples below are from this article on devcentral:
cygwin on Windows
# ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | /cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -
# ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | /usr/bin/wireshark -k -i -
Windows CMD with plink (download from putty homepage):
plink.exe -l root -pw default 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | "c:\Program Files\Wireshark\wireshark.exe" -k -i -
More information on TCPdump