Packet Trace Guide

 Download PDF File

Table of Contents


1.1Document Purpose

1.2Intended Audience

2Perform a TCP Dump

2.1.1Perform a TCP Dump via the WUI

2.1.2Perform a TCP Dump via the Console


Document History


One of the easiest ways to view the traffic traversing the KEMP LoadMaster is to perform a TCP dump. This simple command will capture all of the traffic (or just a specified subset) that is being transmitted and received by the LoadMaster. The results can be examined by analysing the .pcap file with Wireshark or another packet analyzer.

When using the console to perform the TCP dump, an FTP server that can be reached by the LoadMaster is required in order to retrieve the packet capture files.

1.1Document Purpose

The purpose of this document is to educate the reader on how to perform a TCP dump in the KEMP LoadMaster.

1.2Intended Audience

This document is intended to be read by anyone who is interested in finding out how to perform a TCP dump in the LoadMaster.

2Perform a TCP Dump

There are two ways to perform a TCP dump in the LoadMaster – via the Web User Interface (WUI), or via the console. Refer to the relevant section below for steps.

2.1.1Perform a TCP Dump via the WUI

To perform a TCP dump via the WUI, follow the steps below:

  1. In the main menu, select System Configuration > Logging Options > System Log Files.

Figure 2‑1: Debug Options

  1. Click Debug Options.

Figure 2‑2: TCP dump

  1. A TCP dump can be captured either by one or all Ethernet ports. In the TCP dump section at the bottom of the screen, select the relevant Interface to run the TCP dump on, or select All.
  2. Optionally enter the IP Addressand the Port to be monitored.
  3. Enter any optional parameters as required in the Options text box.

The maximum number of characters permitted in the Options field is 255.

  1. Click Start.
  2. Make access from the client to the Virtual Server.
  3. When appropriate, click Stop.
  4. Click Download.
  5. This downloads the results of the TCP dump in a .pcap file. This file can be analysed using a packet trace tool such as Wireshark.

2.1.2Perform a TCP Dump via the Console

To perform a TCP dump via the console, follow the steps below:

  1. Log in to the console.

Figure 2‑3: Utilities

  1. Select Utilities.

Figure 2‑4: Diagnostics

  1. Select Diagnostics.

Figure 2‑5: Diagnostic Shell

  1. Select Diagnostic Shell.
  2. Enter the relevant commands at the % prompt, for example:

tcpdump –s 1500 –c 10000 –i eth0 –w eth0.pcap FILTER0 &

If performing a TCP dump on a two-armed device, ensure to enter the ampersand (&) at the end of the command and also use the command below.

tcpdump –s 1500 –c 10000 –i eth1 –w eth1.pcap FILTER1

  1. Please select the appropriate filter for FILTER0 and FILTER1:


Port 1234

Host and port 1234

For example, a complete TCP dump command might look like this:

tcpdump –s 1500 –c 10000 –i eth0 –w eth0.pcap host and port 80

This will capture all traffic to or from IP with a source or destination port of 80.

As the example command above is set to quit after 10,000 packets, the capture may need to be restarted if the situation in question does not occur within the first 10,000 packets captured, i.e. in the case of heavy load.

  1. Make access from the client to the Virtual Server to produce the error.
  2. Return to the diagnostic shell.
  3. Stop the packet capture by holding Ctrl on the keyboard and pressing C.
  4. If running a TCP dump on a two-armed setup, enter the command fg. The second trace will appear. Stop the second packet capture by holding Ctrl on the keyboard and pressing C.
  5. Connect to the FTP server and send the file by entering the command:

ftp <FTP IP address>

  1. Enter credentials (this depends on the FTP server).
  2. Then, enter the following commands:


put eth0.pcap

put eth1.pcap (if running a packet tract on a two-armed configuration)


  1. It is now possible to retrieve the packet capture files from the FTP server and analyse them in the application of choice, for example Wireshark.
  2. Use the exit command to exit the Diagnostic Shell.

If instructed by a KEMP Support Engineer, you can send them the packet trace file for analysis. Before sending the packet capture, please open it using a relevant tool, for example Wireshark, to ensure both the quality of the data and the integrity of the file.

Please keep in mind any security implications of sending the packet capture. during FTP Transfer

Figure 2‑6: Error

If an error occurs which notifies of a damaged or corrupt file, it is likely that the file was not transferred in binary mode. Repeat Step 13 in Section 2.1.2 and ensure to issue the binary command before transferring.


Unless otherwise specified, the following documents can be found at

Web User Interface (WUI), Configuration Guide

Document History



Reason for Change



Apr 2014

Initial draft

First draft of document



Feb 2015

Minor update

Enhancement made



Was this article helpful?

0 out of 0 found this helpful