bigip tcpdump

Capture inbound and outbound from an interface


[root@bigip1:Active:In Sync] config # tcpdump -nni 1.1

This command disables ip address and port resolution and from interface 1.1.

Capture inbound and outbound and filter by address and port


[root@bigip1:Active:In Sync] config # tcpdump host 172.16.5.254 and port 80 -nnvvi 1.1

This command filter the host by 172.16.5.254 and filter port 80. Verbose is used in this command.

Capture outbound and filter by ip address and port


[root@bigip1:Active:In Sync] config # tcpdump src host 172.16.5.254 and dst port 80 -nnvvi 1.1 -w /var/tmp/vmnet5.cap

This command writes the result to /var/tmp/vmnet5.cap, and filter outbound traffic from 172.16.5.254 to port 80

Read the vmnet5.cap


[root@bigip1:Active:In Sync] config # tcpdump -r /var/tmp/vmnet5.cap -X

-X is used to present the data in ascii format.

The sample is like this:

20:35:13.406570 IP 172.16.5.254.47300 > 172.16.3.254.http: Flags [P.], seq 0:435, ack 1, win 229, options [nop,nop,TS val 29089249 ecr 11663189], length 435 in slot1/tmm0 lis=/Common/dvwa
0x0000: 0005 0800 4500 01e7 f16e 4000 4006 e585 ....E....n@.@...
0x0010: ac10 05fe ac10 03fe b8c4 0050 4607 2c8d ...........PF.,.
0x0020: e307 7839 8018 00e5 cc72 0000 0101 080a ..x9.....r......
0x0030: 01bb dde1 00b1 f755 4745 5420 2f64 7677 .......UGET./dvw
0x0040: 612f 696e 7374 7275 6374 696f 6e73 2e70 a/instructions.p
0x0050: 6870 2048 5454 502f 312e 310d 0a48 6f73 hp.HTTP/1.1..Hos
0x0060: 743a 2031 3732 2e31 362e 332e 3235 340d t:.172.16.3.254.
0x0070: 0a55 7365 722d 4167 656e 743a 204d 6f7a .User-Agent:.Moz
0x0080: 696c 6c61 2f35 2e30 2028 5831 313b 2055 illa/5.0.(X11;.U
0x0090: 6275 6e74 753b 204c 696e 7578 2078 3836 buntu;.Linux.x86
0x00a0: 5f36 343b 2072 763a 3436 2e30 2920 4765 _64;.rv:46.0).Ge
0x00b0: 636b 6f2f 3230 3130 3031 3031 2046 6972 cko/20100101.Fir
0x00c0: 6566 6f78 2f34 362e 300d 0a41 6363 6570 efox/46.0..Accep
0x00d0: 743a 2074 6578 742f 6874 6d6c 2c61 7070 t:.text/html,app
0x00e0: 6c69 6361 7469 6f6e 2f78 6874 6d6c 2b78 lication/xhtml+x
0x00f0: 6d6c 2c61 7070 6c69 6361 7469 6f6e 2f78 ml,application/x
0x0100: 6d6c 3b71 3d30 2e39 2c2a 2f2a 3b71 3d30 ml;q=0.9,*/*;q=0
0x0110: 2e38 0d0a 4163 6365 7074 2d4c 616e 6775 .8..Accept-Langu
0x0120: 6167 653a 2065 6e2d 5553 2c65 6e3b 713d age:.en-US,en;q=
0x0130: 302e 350d 0a41 6363 6570 742d 456e 636f 0.5..Accept-Enco
0x0140: 6469 6e67 3a20 677a 6970 2c20 6465 666c ding:.gzip,.defl
0x0150: 6174 650d 0a52 6566 6572 6572 3a20 6874 ate..Referer:.ht
0x0160: 7470 3a2f 2f31 3732 2e31 362e 332e 3235 tp://172.16.3.25
0x0170: 342f 6476 7761 2f76 756c 6e65 7261 6269 4/dvwa/vulnerabi
0x0180: 6c69 7469 6573 2f65 7865 632f 0d0a 436f lities/exec/..Co
0x0190: 6f6b 6965 3a20 7365 6375 7269 7479 3d69 okie:.security=i
0x01a0: 6d70 6f73 7369 626c 653b 2050 4850 5345 mpossible;.PHPSE
0x01b0: 5353 4944 3d33 7270 376a 3468 3866 3665 SSID=3rp7j4h8f6e
0x01c0: 6872 6c6c 3262 6831 646e 6f73 706c 300d hrll2bh1dnospl0.
0x01d0: 0a43 6f6e 6e65 6374 696f 6e3a 206b 6565 .Connection:.kee
0x01e0: 702d 616c 6976 650d 0a0d 0a01 1101 0100 p-alive.........
0x01f0: 000c 2f43 6f6d 6d6f 6e2f 6476 7761 ../Common/dvwa

Advertisements
This entry was posted in F5, General stuffs, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s