K411: Overview of packet tracing with the tcpdump utility

Non-Diagnostic

Original Publication Date: May 3, 2016

Update Date: Aug 29, 2018

Topic

Running the tcpdump utility

Selecting an Interface or VLAN
Disabling name resolution
Saving tcpdump output to a file
Binary file
Text file
Reading tcpdump binary file output
Filters
Filtering on a host address
Filtering on a port
Filtering on a tcp flag
Combining filters with the and operator
Capturing packet data
Suppressing hostname and port resolution
Combining tcpdump options
Advanced tcpdump topics

The tcpdump utility is a command line packet sniffer with many features and options. For a full description,
refer to the tcpdump man pages by typing the following command:

man tcpdump

Running the tcpdump utility

Following are examples of commands used to run the tcpdump utility:

Selecting an Interface or VLAN

The tcpdump utility's interface or -i option accepts only one option. This option may be a numbered interface
or a named Virtual Local Area Network (VLAN).

To view traffic, use the -i flag as follows:

tcpdump -i <option>

For example:
To view the traffic on a single specific interface:

tcpdump -i 2.1

To view the traffic on a specific VLAN called internal:

tcpdump -i internal

To view the traffic on the management interface:

tcpdump -i eth0

To view the traffic on all interfaces:

tcpdump -i 0.0

Important: Running tcpdump on interface 0.0 is not rate-limited and has the potential to create very large
files. F5 recommends this option only when using filters to limit the size of the capture. Review the Filters
section prior to using this option.

Note: Do not attempt to run tcpdump on an interface that contains a colon.

For example:

eth0:mgmt

Disabling name resolution

By default, tcpdump attempts to look up IP addresses and use names, rather than numbers, in the output.
The BIG-IP system must wait for a response from the DNS server, so the lookups can be time consuming
and the output may be confusing.

To disable name resolution, use the -n flag as in the following examples:

tcpdump -n

tcpdump -ni internal

Saving tcpdump output to a file

You can save the tcpdump data to one of the following file formats:

A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump
utility as well as many other traffic analysis packages.
A text file that contains a subset of the full tcpdump data, but is readable only as plain text.

When working with F5 Technical Support, you must provide the tcpdump output in the binary file format. For
information about transferring the file output from an F5 system, refer to K175: Transferring files to or from
an F5 system.
Binary file

To save the tcpdump output to a binary file, type the following command:

tcpdump -w <filename>

For example:

tcpdump -w dump1.bin

Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture,
press CTRL-C.

Text file

To save the tcpdump output to a text file, type the following command:

tcpdump > <filename>

For example:

tcpdump > dump1.txt

Reading tcpdump binary file output

To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the
following command:

tcpdump -r <filename>

For example:

tcpdump -r dump1.bin

In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would if
it were reading from the network interface. As a result, you can use formatting commands and filters.

Beginning in BIG-IP 11.2.0-HF3, 11.2.1-HF3, and 11.3.0, a pseudo header which includes the following
parameters is added to the start of each binary tcpdump capture:

The tcpdump command syntax used, including all options

Version of software
Hostname of the system
Platform ID
Product

Filters

The tcpdump utility allows you to use filters to, among other things, restrict the output to specified
addresses, ports, and tcp flags.
Filtering on a host address

To view all packets that are traveling to or from a specific IP address, type the following command:

tcpdump host <IP address>

For example:

tcpdump host 10.90.100.1

To view all packets that are traveling from a specific IP address, type the following command:

tcpdump src host <IP address>

For example:

tcpdump src host 10.90.100.1

To view all packets that are traveling to a particular IP address, type the following command:

tcpdump dst host <IP address>

For example:

tcpdump dst host 10.90.100.1

Filtering on a port

To view all packets that are traveling through the BIG-IP system and are either sourced from or
destined to a specific port, type the following command:

tcpdump port <port number>

For example:

tcpdump port 80

To view all packets that are traveling through the BIG-IP system and sourced from a specific port,
type the following command:

tcpdump src port <port number>

For example:

tcpdump src port 80

To view all packets that are traveling through the BIG-IP system and destined to a specific port, type
the following command:

tcpdump dst port <port number>

 For example:

tcpdump dst port 80

Filtering on a tcp flag

To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the
following command:

tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'

To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the
following command:

tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

Combining filters with the 'and' operator

You can use the and operator to filter for a mixture of output.

Following are some examples of useful combinations:

tcpdump host 10.90.100.1 and port 80

tcpdump src host 172.16.101.20 and dst port 80

tcpdump src host 172.16.101.20 and dst host 10.90.100.1

Capturing packet data

The tcpdump utility provides an option that allows you to specify the amount of each packet to capture.

You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the
entire packet, use a value of 0 (zero).

For example:

tcpdump -s0 src host 172.16.101.20 and dst port 80

Alternatively, you can specify a length large enough to capture the packet data you need to examine.

For example:

tcpdump -s200 src host 172.16.101.20 and dst port 80

If you are using the tcpdump utility to examine the output on the console during capture or by reading from
an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with
the default HEX encoded output.

For example:
tcpdump -r dump1.bin -X src host 172.16.101.20 and dst port 80

Suppressing hostname and port resolution

The tcpdump utility provides an option that allows you to specify whether IP addresses and service ports
are translated to their corresponding hostnames and service names.

Since performing multiple name lookups during a packet capture may be resource intensive, you should
disable name resolution while capturing on a busy system using the -n option.

For example:

tcpdump -n src host 172.16.101.20 and dst port 80

Service port lookups incur less overhead than DNS-based name resolutions, but still are usually
unnecessary while performing a capture. You can disable both name and service port resolution while
performing a capture, by using the -nn option.

For example:

tcpdump -nn src host 172.16.101.20 and dst port 80

Combining tcpdump options

This article contains the most essential tcpdump options. You will generally need to use most of the options
in combination.

Following are examples of how to combine the tcpdump options to provide the most meaningful output:

tcpdump -ni internal -w dump1.bin

tcpdump -n -r dump1.bin host 10.90.100.1

tcpdump -ni 2.1 host 10.90.100.1 and port 80

tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt

tcpdump -Xs200 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162

Advanced tcpdump topics

The following articles cover advanced tcpdump topics:

K1893: Packet trace analysis

K13637: Capturing internal TMM information with tcpdump
K7227: Considerations when using the tcpdump utility with tagged VLAN traffic
K13328: Troubleshooting LDAP authentication with tcpdump
K13301: Overview of packet tracing a BIG-IP APM Network Access tunnel with the tcpdump utility
K7823: Troubleshooting and debugging Enterprise Manager iControl connectivity
K5564: Saving large tcpdump packet traces when disk space is limited
 K2289: Using advanced tcpdump filters

Supplemental Information

K6546: Recommended methods and limitations for running tcpdump on a BIG-IP system
K4714: Performing a packet trace and providing the results to F5 Technical Support
K10319: Using the tcpdump utility disables hardware checksum offloading

Applies to:

Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-
IP Edge Gateway, BIG-IP GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM, BIG-IP PSM, BIG-IP
WebAccelerator, BIG-IP WOM
14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.3, 11.6.2, 11.6.1, 11.6.0,
11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0, 11.4.1, 11.4.0, 11.3.0, 11.2.1, 11.2.0, 11.1.0,
11.0.0, 10.2.4, 10.2.3, 10.2.2, 10.2.1, 10.2.0, 10.1.0, 10.0.1, 10.0.0, 9.6.1, 9.6.0, 9.4.8, 9.4.7, 9.4.6, 9.4.5,
9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4.0, 9.3.1, 9.3.0, 9.2.5, 9.2.4, 9.2.3, 9.2.2, 9.2.0, 9.1.3, 9.1.2, 9.1.1, 9.1.0

Product: Enterprise Manager

3.1.1, 3.1.0, 3.0.0