F5 BIG-IP Packet Capture (tcpdump)
Guide for running tcpdump packet captures on F5 BIG-IP from the CLI.
Getting to Bash
F5 tcpdump runs from the bash shell, not from tmsh.
From SSH (default shell is tmsh)
bash
If your default shell is already bash, you’re set. To check:
echo $SHELL
From tmsh
run /util bash
Return to tmsh When Done
tmsh
# or simply
exit
On most BIG-IP systems the default SSH shell is tmsh. Just type
bashat the tmsh prompt.
Basic tcpdump Syntax
tcpdump -i <interface> <filter> -w /var/tmp/capture.pcapKey Interfaces
| Interface | Description |
|---|---|
0.0 | All VLANs and interfaces (most common for troubleshooting) |
<vlan-name> | Specific VLAN (e.g., external, internal) |
mgmt | Management interface only |
0.0is the F5 equivalent of “capture everything” — it includes both client-side and server-side traffic.
Common Capture Examples
Capture all traffic for a specific host
tcpdump -i 0.0 host 10.1.1.100 -w /var/tmp/capture.pcapCapture between client and VIP + VIP and pool member
tcpdump -i 0.0 host 10.1.1.100 or host 10.2.2.50 -w /var/tmp/capture.pcapCapture specific port
tcpdump -i 0.0 host 10.1.1.100 and port 443 -w /var/tmp/capture.pcapCapture on a specific VLAN
tcpdump -i external host 10.1.1.100 -w /var/tmp/capture.pcapCapture ICMP only
tcpdump -i 0.0 icmp and host 10.1.1.100 -w /var/tmp/capture.pcapCapture with packet count limit
tcpdump -i 0.0 host 10.1.1.100 -c 1000 -w /var/tmp/capture.pcapCapture with snap length (full packet)
tcpdump -i 0.0 -s 0 host 10.1.1.100 -w /var/tmp/capture.pcapF5-Specific Flags
| Flag | Description |
|---|---|
-i 0.0 | All interfaces / VLANs |
-s 0 | Capture full packet (no truncation) |
-w <file> | Write to pcap file |
-c <count> | Stop after N packets |
-v / -vv | Verbose output (live to screen) |
-nn | Don’t resolve hostnames or ports |
-e | Show link-layer headers (useful for VLAN tags) |
Viewing Client-Side vs Server-Side
F5 sits in the middle, so you’ll see two conversations in a capture on 0.0:
- Client-side: Client ←> VIP (virtual server IP)
- Server-side: F5 self-IP (or SNAT) ←> Pool member
To isolate each side:
# Client-side only
tcpdump -i external host 10.1.1.100 -w /var/tmp/client-side.pcap
# Server-side only
tcpdump -i internal host 10.2.2.50 -w /var/tmp/server-side.pcapSSL Captures
For SSL/TLS traffic, the pcap will be encrypted. Options:
Option 1 - Capture with an iRule (decrypt in Wireshark)
Add a logging iRule to extract the TLS pre-master secret, then use it in Wireshark to decrypt. See F5 K10209 for details.
Option 2 - Capture on server-side (if SSL offload)
If F5 terminates SSL, server-side traffic is cleartext:
tcpdump -i internal host <pool-member-ip> and port 80 -w /var/tmp/serverside.pcapStopping and Exporting
Stop the capture
Press Ctrl+C or wait for -c packet limit.
Check file size
ls -lh /var/tmp/capture.pcapExport via SCP
scp /var/tmp/capture.pcap user@workstation:/path/Export via the GUI
System > File Management > Diagnostic Files > Download
Or use tmsh to copy to a downloadable location:
tmsh run /util unix-mv /var/tmp/capture.pcap /shared/tmp/capture.pcap
Then download from: https://<mgmt-ip>/shared/tmp/capture.pcap
Clean up
rm /var/tmp/capture.pcapTips
- Always write to
/var/tmp/— it has the most free space - Use
-s 0to get full packets; default snap length may truncate - On busy systems keep captures short and filtered tightly to avoid performance impact
- Use
-cto auto-stop after a set number of packets - Remember:
0.0shows both sides of the connection — great for comparing what the client sent vs what the server received - Run
du -sh /var/tmp/capture.pcapperiodically on long captures to monitor file size