How can I follow a HTTPS connection from a specified client IP

Question

Hello, I have a HTTP virtual server IP in production. Behind that Virtual server there is pool with 3 members. I'd like to troubleshooting connection from my ip client to server to see the entire flow (from client to virtaul server and from ltm to server).&nbsp;
I'm intersted to se HTTP messages from client to server. I used tcpdump to capture all traffic directed to virtual server ip and to pool server ips. Afterword I read the file captured with wireshak and tried to filter only my connection.&nbsp;
What I'm not able to do is to put in relation the client side connection with the server side connection. I mean client start a connection and BIG-ip proxy it to a server. Ho w can I follow the client connection from client to server since BIG-IP proxy it ?&nbsp;
Should insert sesion cookies ? can I do directly on ltm without tcpdump ?&nbsp;

torti · Answer

you could insert a header with the client ip via an irule (i.e. x-forwarded-for). this can be done with a http profile automatically, too. Then you have to capture a dump from both sites. With wireshark, you can search for the x-forwarded-for header, now.

helenio · Answer

Great !! I didn't think about that ... Thanks.&nbsp;

uni_87886 · Answer

The version of tcpdump which comes with the latest versions of the BigIP software (not sure when it appeared, sorry. Certainly 11.4.0) there is an option to follow the associated flow.
You need to specify a vlan in the interface, and add 😛 (no, that is not a smiley :P)
For example
tcpdump -v -s0 -w my.cap -i external:p host 10.1.2.3

There are some other cool flags added to tcpdump too. Check the man page under the -i flag.

uni · Answer

The version of tcpdump which comes with the latest versions of the BigIP software (not sure when it appeared, sorry. Certainly 11.4.0) there is an option to follow the associated flow.
You need to specify a vlan in the interface, and add 😛 (no, that is not a smiley :P)
For example
tcpdump -v -s0 -w my.cap -i external:p host 10.1.2.3

There are some other cool flags added to tcpdump too. Check the man page under the -i flag.

uni · Answer

I checked the release notes. The :p flag was introduced in 11.4.0

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

How can I follow a HTTPS connection from a specified client IP

8 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Adding logging to APM per-request policy without SWG license

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Related Content

Three Ways to Specify Multiple Ports on a Virtual Server

Get virtual servers, pools, pool members, statuses and connections on a specified LTM

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Force BotDefense Captcha on Specified URL

Specify global variables to be used over multiple connections

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS