F5 Packet Capture Reference

This page is simply to provide quick and dirty notes for performing standard packet captures on F5 appliances.   I use these fairly often and needed a place for quick reference.  Always refer to vendor documentation for more detail.


F5 utilizes tcpdump for packet captures.  You need to be in bash when running tcpdump.  If your SSH session is dropping you in tmos shell, go ahead and move over to the bash shell:

run /util bash

Here are some tcpdump examples:

-s0 = Capture entire packet (change 0 to some other number to slice packets)
-nn = Disables name lookups for host and port 
-i = interface (0.0 means all interfaces)
-v = verbose
-l = buffered
-X = Print hex and ascii format
# Print straight to the screen, don't slice packets
tcpdump -nni 0.0 -X -s0 host X.X.X.X and port 80 and host Y.Y.Y.Y

# Capture filter to a file
tcpdump -v -l -s0 -nni 0.0 host X.X.X.X or host Y.Y.Y.Y or icmp or arp -w /var/tmp/cap1.pcap
# Specific 1.1 interface, only sourced packets
tcpdump -v -l -s0 -nni 1.1 src host X.X.X.X -w /var/tmp/cap1.pcap



Stream TCPdump from the F5 directly to Wireshark

Yes, you can actually use Wireshark directly when performing packet capture on an F5, just make sure you have solid filters setup beforehand.  


The examples below are from this article on devcentral:

cygwin on Windows

# ssh -l root "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | 
/cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -  


# ssh -l root "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
/usr/bin/wireshark -k -i -  

Windows CMD with plink (download from putty homepage):

plink.exe -l root -pw default "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
 "c:\Program Files\Wireshark\wireshark.exe" -k -i - 

More information on TCPdump


David Varnum


You may also like...

1 Response

  1. Jairo Castro says:

    Thanks for this useful info

Leave a Reply

%d bloggers like this: