Forum Discussion
goldberg_33306
Nimbostratus
Oct 10, 2012Basic TCPDUMP Question
When I capture traffic on the "internal" and "external" interfaces, why do I see the same syn from the client on both interfaces? I know this is a basic feature within F5 LTM, but just looking for a technical explanation.
Thanks
5 Replies
Sort By
- nitass
Employee
have you seen this one? - goldberg_33306
Nimbostratus
Thanks for the link. It does explain a few things but for a standard virtual server, I don't see the syn (from the client) being re-used on the server end. Here is an example: - nitass
Employee
this is mine. tcpdump line (1) is client-side's sync and line (4) is server-side one.[root@ve10:Active] config b virtual bar list virtual bar { pool foo destination 172.28.19.79:80 ip protocol 6 } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes (1) 21:49:14.666797 IP 172.28.19.251.42625 > 172.28.19.79.80: S 4154211562:4154211562(0) win 5840 (2) 21:49:14.666837 IP 172.28.19.79.80 > 172.28.19.251.42625: S 335438378:335438378(0) ack 4154211563 win 4380 (3) 21:49:14.667754 IP 172.28.19.251.42625 > 172.28.19.79.80: . ack 1 win 46 (4) 21:49:14.667789 IP 172.28.19.251.42625 > 200.200.200.101.80: S 2841681353:2841681353(0) win 4380 (5) 21:49:14.668755 IP 200.200.200.101.80 > 172.28.19.251.42625: S 240397414:240397414(0) ack 2841681354 win 5792 (6) 21:49:14.668781 IP 172.28.19.251.42625 > 200.200.200.101.80: . ack 1 win 4380
- nitass
Employee
this is fastl4 profile (performance l4 virtual server).[root@ve10:Active] config b virtual bar list virtual bar { pool foo destination 172.28.19.79:80 ip protocol 6 profiles fastL4 {} } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes (1) 21:53:21.256902 IP 172.28.19.251.42626 > 172.28.19.79.80: S 4119262028:4119262028(0) win 5840 (2) 21:53:21.256957 IP 172.28.19.251.42626 > 200.200.200.101.80: S 4119262028:4119262028(0) win 5840 (3) 21:53:21.257660 IP 200.200.200.101.80 > 172.28.19.251.42626: S 427681894:427681894(0) ack 4119262029 win 5792 (4) 21:53:21.257675 IP 172.28.19.79.80 > 172.28.19.251.42626: S 427681894:427681894(0) ack 4119262029 win 5792 (5) 21:53:21.258752 IP 172.28.19.251.42626 > 172.28.19.79.80: . ack 1 win 46 (6) 21:53:21.258764 IP 172.28.19.251.42626 > 200.200.200.101.80: . ack 1 win 46
- goldberg_33306
Nimbostratus
Great! Thanks for the info! This clears things up.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects