TCPdump with SNAT

How to perform a tcpdump on a virtual server that has Snat configured:

Starting in v11.2, there is an awesome undocumented feature that can help. It’s a new “-p” flag to dump on “peer” flows.


Log on to CLI via SSH and start packet capture:

tcpdump -ni 0.0:nnnp -s 0 host client-ip -w /var/tmp/traffic_from_client.pcap

Replacing client-ip with IP of failing client.

ex. from bash

tcpdump -ni 0.0:nnnp -s 0 host -w /var/tmp/traffic_from_client.pcap

Note, with the “-p” flag, you can narrow down by all traffic to that VIP as well if you put

tcpdump -ni 0.0:nnnp -s 0 host <vip-ip> and port <vip-port> -w /var/tmp/traffic_to_vip.pcap


tcpdump -ni 0.0:nnnp -s 0 host and port 443 -w /var/tmp/traffic_to_vip.pcap

Now reproduce Issue with Failing Client:

After reproduction completes, type Ctl-C to stop the packet capture.

Note: Above capture takes advantage of new tcpdump flag “-p” that captures peer sides of the connection which is useful when traffic is snatted on the serverside. It requires a little workaround to reset/clear the filter internally ( running a different capture without the -p flag that won’t match original filter )

tcpdump -ni 0.0:nnn -s 0 port 1

Type Ctl -C to stop the capture immediately after it started.

Voila! No more capturing an insane amount of traffic for that needle in a haystack on the serverside!

The ugly way how we had to do it before:

SOL11555: Gathering data in preparation for a traffic impacting change to the BIG-IP system



Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.