Capture TCP Reset with iRule?

Hi Doris,

It's not currently possible to access the TCP flags from an iRule. You could log when a TCP connection from a client to a virtual server from the CLIENT_ACCEPTED event:

when CLIENT_ACCEPTED {

    Log locally or remotely that a connection was established
    http://devcentral.f5.com/wiki/default.aspx/iRules/log
   log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [IP::local_addr]:[TCP::local_port] on [virtual name]"
}

You can read the options from the TCP headers, but this doesn't include the TCP flags that you're looking for.

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086447/Accessing-TCP-Options-from-iRules.aspx

Aaron

Thanks for your answer, with this iRule it´s possible to capture all ip address that request a connection or only a specific... and it´s possible to capture the disconnection too?

 

 

And are there other form to capture the same that i see trought tcpdump?

 

 

Thank You

Thanks for your answer, with this iRule it´s possible to capture all ip address that request a connection or only a specific... and it´s possible to capture the disconnection too?

 

 

And are there other form to capture the same that i see trought tcpdump?

 

 

Thank You

That iRule would log the client IP:port and virtual server IP:port on any connection that was successfully established. If you wanted to log this info for connection closes as well, you could use the CLIENT_CLOSED event. These are the only options that iRules support for your scenario.

 

 

Can you clarify what you're trying to do with this information? Is this for testing or production use?

 

 

Aaron

The objective is to see if the client closed the connection or if the server closed the connection, basically is to know who generated the disconnection.

 

 

Is an production enviroment but maybe its possible to do in testing environment.

 

 

Regards

That won't be exactly possible with an iRule. You could try to track whether the clientside or serverside connection was closed first but that still won't tell you who sent a FIN or RST first.

 

 

What's your overall goal for this scenario? I think tcpdump might be a more appropriate tool.

 

 

Aaron

ok,

 

Yes, actually I need the same information that I see with tcpdump command, but I need capture all connections and send it to a remote log server?... it's possible?

 

Thanks

I don't know of a simple way to get a tcpdump sent in syslog format. But you could run the tcpdump from a remote host and get the output on the remote host:

 

 

 

sol1700: Saving large tcpdump packet traces when disk space is limited

 

http://support.f5.com/kb/en-us/solutions/public/1000/700/sol1700.html?sr=14495642Perform

 

 

Perform the tcpdump remotely through SSH

 

 

To use SSH to save the tcpdump remotely to the client's memory file, perform the following steps:

 

 

1. Connect to the client system using SSH.

 

 

2. Type the following command syntax:

 

 

ssh @ 'eval $(which tcpdump) -c-s0 -w- -i interface' >

 

Where:

 

* is specified as the user on the remote system.

 

* is the hostname or IP address of the BIG-IP or 3-DNS.

 

* is the number of packets you wish to capture.

 

* is the name you want used for the tcpdump binary file.

 

 

For example:

 

 

ssh root@bigip1.askf5.com 'eval $(which tcpdump) -c10000 -s0 -w- -i internal' >mytcpdump.bin

 

 

This command is executed on the BIG-IP or 3-DNS system, but writes the mytcpdump.bin output file to the client system.

 

 

Important: The tcpdump output is buffered. If you issue CTRL-C on the system from which you are running the commands, it will terminate SSH, not the remote tcpdump. This will result in an incomplete or useless tcpdump collection; therefore, it is important to wait for the tcpdump process to complete collecting the specified number of packets.

 

 

 

Aaron

Hi Aaron...

 

 

I reviewed your last suggestion but i can see that these command its limited to specific number of packets to capture... I need the all logs of the connection and disconnection that crossing the BIG-IP.

 

 

It´s possible to do trought tcpdump command?.. or any alterntive sugestion.

 

 

I am triying to obtain an example of log that I like to obtain.... as soon as possible, I will sharing with you.

 

 

Thank You

 

 

Regards

The last suggestion allows you to run tcpdump with any switches you want. The specific example captures 10,000 packets, but you could remove that flag to continuously capture. You can also customize the filters to only capture specific TCP flags like SYN or FIN or RST.

 

 

Aaron