F5 DUMP‎ > ‎

F5 LTM commands cheat sheet

posted 17 Mar 2016, 12:21 by DR Labs   [ updated 16 Sep 2016, 02:38 by Donald Ross ]

tcpdump -i internal
tcpdump -i 1.2  
tcpdump -i eth0  
tcpdump -i eth0 -nn
tcpdump -i 1.1   
tcpdump -i 0.0 -w /var/tmp/New-TCPDMP.pcap     
tcpdump -i 0.0 -w /var/tmp/New-TCPDMP.pcap -s0
cd /var/tmp
tcpdump -i 0.0 -s0 arp -nn    
tcpdump -i 0.0:p host  
tcpdump -i 0.0:p host -nn    
tcpdump -i 0.0:p host and not tcp port 22 -nn   
tcpdump -i 0.0:p host and not tcp port 443    

Show Configuration

tmsh show running-config /ltm

tmsh list ltm

tmsh list /ltm virtual all-properties
tmsh list /ltm virtual PiServer

tmsh list /ltm pool all-properties
tmsh list /ltm pool HTTP-WEB-123
tmsh list /ltm pool HTTP-WEB-123 all-properties

tmsh list /ltm node all-properties

show sys self-ip

tail -f /var/log/ltm/


tcpdump -s0 -nn -i 0.0 -vvv -l -x host x.x.x.x and port yyy -w /tmp/outfile.cap

tcpdump -vvv -s 0 -nni internal -w /var/tmp/www-ssl-server.cap host and net and port 8080

The traffic matching the specified filter is saved to the indicated capture file.

The options used are:

-vvv Maximum verbosity

-s Snaplength (0 captures full packets)

-nn Do not resolve host or service names

-i Interface - can be ifname or vlan name

-w Write output to file

Useful to do

one on client side (filter on source IP)

one on server side (filter on backend server IP)

Then run ssl against capture file

ssldump –Anr outfile.cap

More info here

·         https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html


Compare ssldump output with

·         https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html


This tcpdump uses the –p flag to capture “peer” flows when traffic is snatted on the serverside. This means you can see the traffic from a host coming in to the F5 and going out to the load balanced destination on a single capture.

tcpdump –vni 0.0:nnnp –s 0 –w /tmp/capture.pcap host x.x.x.x

Traffic matching the query is saved to the capture file after the –w.The –v enables you to see how many packets are being captured and the –w sends the output to a file.


Testing a Virtual server on a F5

It may sound obvious but an f5 can be used to loop back on itself to test if the virtual server is working. A simple test would be telnet. This can be run from the live F5, the bellow command is to run this test when running multiple route domains on a f5

rdexec <routing instance number> telnet <serverIP> <port number>

example bellow for routing instance 2 server over port 443

rdexec 2 telnet 443

taking this one step further to check if the SSL handshake is working and that there is a certificate being offered, a test can be sent to the virtual server to check that there is termination or pass through. Then if that fails from the F5 to the back end server in question. This can be used in conjunction with TCP DUMP and SSL DUMP to nail the issue. The command bellow will again use route domain 2 and will display the certificate that is handed out by the server.

rdexec 2 oppenssl s_client –showcerts – connect

Donald Ross,
16 Sep 2016, 01:36
Donald Ross,
16 Sep 2016, 01:36