Forum Discussion
NimbostratusConnection list
HI All,
we are in the phase of decommissioning one of the OLD f5 running with 9.3.0 version. We have already moved all the VIPs to our new load balancer and most of the users are accessing New VIP. before we decommissioning OLD VIPIPs we want to see who are still accessing these VIPs. Unfortunately I dont see any current connections to see "b conn " on these VIPs to identify what are the source. is there any way we can see source details form to capture for a week to identify the source who is accessing the vips??
6 Replies
Hannes_RappWhy not use the good old Linux TCPdump? 🙂
tcpdump -nn -i VLANext host 1.1.1.1 -C 200M -w /var/tmp/capture.f5.pcap &As a background process, this will keep writing 200M size capture files named "capture.f5.pcap" to /var/tmp folder. Replace VLANext with your actual external VLAN; replace 1.1.1.1 with your actual VIP, (or use the "net" flag instead of "host" to specify your VIP range with prefix).
Use the SCP/PSCP/WinSCP to copy files to your PC and open with WireShark. Stopping the background capture:
1.
2.ps | grep capture.f5.pcap
(as found in the output of 1st command)kill
vvskaladhar_488thanks a lot for quick response Hannes,. i through TCPDUMP will give only current connections. but not the historical please correct me if I miss some thing- Hannes_RappWith TCPdump you can also write the output to a file (the same command I've posted will do that). Letting the TCPdump collector run for 7 days will get you the information you're looking for. In fact, I don't think there's a good alternative for your case.
Hannes_Rapp_162Nacreous
Why not use the good old Linux TCPdump? 🙂
tcpdump -nn -i VLANext host 1.1.1.1 -C 200M -w /var/tmp/capture.f5.pcap &As a background process, this will keep writing 200M size capture files named "capture.f5.pcap" to /var/tmp folder. Replace VLANext with your actual external VLAN; replace 1.1.1.1 with your actual VIP, (or use the "net" flag instead of "host" to specify your VIP range with prefix).
Use the SCP/PSCP/WinSCP to copy files to your PC and open with WireShark. Stopping the background capture:
1.
2.ps | grep capture.f5.pcap
(as found in the output of 1st command)kill- vvskaladhar_488thanks a lot for quick response Hannes,. i through TCPDUMP will give only current connections. but not the historical please correct me if I miss some thing
- Hannes_Rapp_162With TCPdump you can also write the output to a file (the same command I've posted will do that). Letting the TCPdump collector run for 7 days will get you the information you're looking for. In fact, I don't think there's a good alternative for your case.
