F5 BIG-IP Packet Capture (tcpdump)

f5 bigip command pcap

Guide for running tcpdump packet captures on F5 BIG-IP from the CLI.


Getting to Bash

F5 tcpdump runs from the bash shell, not from tmsh.

From SSH (default shell is tmsh)

bash

If your default shell is already bash, you’re set. To check:

echo $SHELL

From tmsh

run /util bash

Return to tmsh When Done

tmsh
# or simply
exit

On most BIG-IP systems the default SSH shell is tmsh. Just type bash at the tmsh prompt.


Basic tcpdump Syntax

tcpdump -i <interface> <filter> -w /var/tmp/capture.pcap

Key Interfaces

InterfaceDescription
0.0All VLANs and interfaces (most common for troubleshooting)
<vlan-name>Specific VLAN (e.g., external, internal)
mgmtManagement interface only

0.0 is the F5 equivalent of “capture everything” — it includes both client-side and server-side traffic.


Common Capture Examples

Capture all traffic for a specific host

tcpdump -i 0.0 host 10.1.1.100 -w /var/tmp/capture.pcap

Capture between client and VIP + VIP and pool member

tcpdump -i 0.0 host 10.1.1.100 or host 10.2.2.50 -w /var/tmp/capture.pcap

Capture specific port

tcpdump -i 0.0 host 10.1.1.100 and port 443 -w /var/tmp/capture.pcap

Capture on a specific VLAN

tcpdump -i external host 10.1.1.100 -w /var/tmp/capture.pcap

Capture ICMP only

tcpdump -i 0.0 icmp and host 10.1.1.100 -w /var/tmp/capture.pcap

Capture with packet count limit

tcpdump -i 0.0 host 10.1.1.100 -c 1000 -w /var/tmp/capture.pcap

Capture with snap length (full packet)

tcpdump -i 0.0 -s 0 host 10.1.1.100 -w /var/tmp/capture.pcap

F5-Specific Flags

FlagDescription
-i 0.0All interfaces / VLANs
-s 0Capture full packet (no truncation)
-w <file>Write to pcap file
-c <count>Stop after N packets
-v / -vvVerbose output (live to screen)
-nnDon’t resolve hostnames or ports
-eShow link-layer headers (useful for VLAN tags)

Viewing Client-Side vs Server-Side

F5 sits in the middle, so you’ll see two conversations in a capture on 0.0:

  1. Client-side: Client > VIP (virtual server IP)
  2. Server-side: F5 self-IP (or SNAT) > Pool member

To isolate each side:

# Client-side only
tcpdump -i external host 10.1.1.100 -w /var/tmp/client-side.pcap
 
# Server-side only
tcpdump -i internal host 10.2.2.50 -w /var/tmp/server-side.pcap

SSL Captures

For SSL/TLS traffic, the pcap will be encrypted. Options:

Option 1 - Capture with an iRule (decrypt in Wireshark)

Add a logging iRule to extract the TLS pre-master secret, then use it in Wireshark to decrypt. See F5 K10209 for details.

Option 2 - Capture on server-side (if SSL offload)

If F5 terminates SSL, server-side traffic is cleartext:

tcpdump -i internal host <pool-member-ip> and port 80 -w /var/tmp/serverside.pcap

Stopping and Exporting

Stop the capture

Press Ctrl+C or wait for -c packet limit.

Check file size

ls -lh /var/tmp/capture.pcap

Export via SCP

scp /var/tmp/capture.pcap user@workstation:/path/

Export via the GUI

System > File Management > Diagnostic Files > Download

Or use tmsh to copy to a downloadable location:

tmsh run /util unix-mv /var/tmp/capture.pcap /shared/tmp/capture.pcap

Then download from: https://<mgmt-ip>/shared/tmp/capture.pcap

Clean up

rm /var/tmp/capture.pcap

Tips

  • Always write to /var/tmp/ — it has the most free space
  • Use -s 0 to get full packets; default snap length may truncate
  • On busy systems keep captures short and filtered tightly to avoid performance impact
  • Use -c to auto-stop after a set number of packets
  • Remember: 0.0 shows both sides of the connection — great for comparing what the client sent vs what the server received
  • Run du -sh /var/tmp/capture.pcap periodically on long captures to monitor file size