F5 Packet Capture Reference

This page is simply to provide quick and dirty notes for performing standard packet captures on F5 appliances.   I use these fairly often and needed a place for quick reference.  Always refer to vendor documentation for more detail.


F5 utilizes tcpdump for packet captures.  You need to be in bash when running tcpdump.  If your SSH session is dropping you in tmos shell, go ahead and move over to the bash shell:

run /util bash

Here are some tcpdump examples:

-s0 = Capture entire packet (change 0 to some other number to slice packets)
-nn = Disables name lookups for host and port 
-i = interface (0.0 means all interfaces)
-v = verbose
-l = buffered
-X = Print hex and ascii format
# Print straight to the screen, don't slice packets
tcpdump -nni 0.0 -X -s0 host X.X.X.X and port 80 and host Y.Y.Y.Y

# Capture filter to a file
tcpdump -v -l -s0 -nni 0.0 host X.X.X.X or host Y.Y.Y.Y or icmp or arp -w /var/tmp/cap1.pcap
# Specific 1.1 interface, only sourced packets
tcpdump -v -l -s0 -nni 1.1 src host X.X.X.X -w /var/tmp/cap1.pcap



Stream TCPdump from the F5 directly to Wireshark

Yes, you can actually use Wireshark directly when performing packet capture on an F5, just make sure you have solid filters setup beforehand.  


The examples below are from this article on devcentral:

cygwin on Windows

# ssh -l root "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | 
/cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -  


# ssh -l root "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
/usr/bin/wireshark -k -i -  

Windows CMD with plink (download from putty homepage):

plink.exe -l root -pw default "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
 "c:\Program Files\Wireshark\wireshark.exe" -k -i - 

More information on TCPdump


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s