Capture TCP Reset with iRule?

I don't know of a simple way to get a tcpdump sent in syslog format. But you could run the tcpdump from a remote host and get the output on the remote host:

 

 

 

sol1700: Saving large tcpdump packet traces when disk space is limited

 

http://support.f5.com/kb/en-us/solutions/public/1000/700/sol1700.html?sr=14495642Perform

 

 

Perform the tcpdump remotely through SSH

 

 

To use SSH to save the tcpdump remotely to the client's memory file, perform the following steps:

 

 

1. Connect to the client system using SSH.

 

 

2. Type the following command syntax:

 

 

ssh @ 'eval $(which tcpdump) -c-s0 -w- -i interface' >

 

Where:

 

* is specified as the user on the remote system.

 

* is the hostname or IP address of the BIG-IP or 3-DNS.

 

* is the number of packets you wish to capture.

 

* is the name you want used for the tcpdump binary file.

 

 

For example:

 

 

ssh root@bigip1.askf5.com 'eval $(which tcpdump) -c10000 -s0 -w- -i internal' >mytcpdump.bin

 

 

This command is executed on the BIG-IP or 3-DNS system, but writes the mytcpdump.bin output file to the client system.

 

 

Important: The tcpdump output is buffered. If you issue CTRL-C on the system from which you are running the commands, it will terminate SSH, not the remote tcpdump. This will result in an incomplete or useless tcpdump collection; therefore, it is important to wait for the tcpdump process to complete collecting the specified number of packets.

 

 

 

Aaron