Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Performing a TCPDump

Often when troubleshooting an issue, running a TCPdump can be an invaluable form of diagnostic data. A recording of local traffic can help shed light on the connectivity issue which is occurring. Within the LoadMaster's Debug Options screen, there is a TCP dump utility which saves the traffic in a .pcap file.

A TCP dump can be performed from the Web User Interface (WUI) or by using console to access the LoadMaster command line.

In the WUI:

  1. Go to System Configuration > Logging Options > System Log Files.
  2. Select Debug Options.
  3. Under TCP dump Interface select the Interface to be monitored.
  4. Enter the IP Address to be monitored (optional).
  5. Enter the Port to be monitored (optional).
  6. Click Start > Reproduce the issue (this is limited to 10,000 packets).
  7. Click Stop.
  8. Click Download to save the TCP dump to a computer.


The LoadMaster's TCPdump utility includes a few common filters, such as Interface, IP Address and Port. By specifying an appropriate filter, the pcap can include the client to LoadMaster connectivity as well as the LoadMaster to server connection. Enter the Virtual Service's IP address as a filter for non-transparent Virtual Services. The client's IP address is a useful filter for transparent services. A port-based filter can also be used to narrow down the traffic that is recorded.

For further information, refer to

There is a textbox called Options, where other TCPdump filters can be entered. Some additional common filters which can be helpful are listed below:

  • vrrp - Filters for HA multicasts
  • icmp - Filters for ICMP pings
  • -c - Count - changes the maximum total packets recorded
  • -s - Size - changes the maximum bytes per packet

The LoadMaster's TCPdump utility will capture the first 10,000 packets with the default settings. The memory dedicated to saving a pcap file is 30MB. When listening on two interfaces, each interface will be able to record up to 15MB of traffic.  

If the logging of packets beyond 10,000 is required - it is possible to specify to record only the first n number of bytes of each packet. Therefore, the maximum packet count (-c) can also be increased.

In the console, a TCP dump can be performed by navigating to the following path:

  1. Type 7 – Utilities
  2. Type 9 – Diagnostics
  3. Type 9 - Diagnostic Shell


Then, at the % prompt type tcpdump.


Here are some options can be used while doing a TCP dump via xroot. 

i.e. "tcpdump -i eth0 'host and port 80'" would capture on eth0 for the IP over port 80.

More options can be found at



Was this article helpful?
1 out of 2 found this helpful