Forum Discussion
Best methods to co-relate the client and server side flows
Team, based on a captured pcap where both client and server side conversations have been captured, could you recommend the best ways to correlate which client side TCP stream for example relates with the TCP stream client side. I am aware of the flow ID and peer ID usage when using F5Trailer and -nnn but have found on some occasions that the relation is incorrect (e.g. F5 sends RST to Client claiming RST on remote server but server side connection was properly closed), even F5 TAC has mentioned that -p also gives wrong result sometimes. So I am looking for definite ways without replying heavily on the F5 Eth trailers, at present I am filtering using one serverside stream and then going forward on the stream +1 and so on till I see some matching like RST occurring on both Client and Server end on wireshark
eg. tcp.stream == 10 or tcp.stream == 12
- PS_332920Nimbostratus
Using the Flow ID shows RST going from F5 to Client (due to RST on remote server as reason) but nothing on server side suggesting RST on that end
- PS_332920Nimbostratus
Now same capture when going through different streams, stream 12 and 15 related better where you can see the RST server side before client side. Also the client side uses IPv6 and server side IPv4
- Simon_BlakelyEmployee
Your flowid filter example will not match a client flow to a server flow.
You need to match the client-side peerid to the server-side flowid (or vice-versa).
Use f5ethtrailer.anyflowid to match on either flowid and peerid values, so for a flow you get to see both sides of the conversation. You will also see the flow-reuse mentioned above, but you can usually see where the flows are very different.
Of course, if flow reuse is in play (i.e OneConnect), you may only see part of the server-side flow, where the required client-side flow is attached.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com