For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Dec 09, 2020

Solved

how can I view the top 10 talkers' IP addresses for a given timeperiod?

I see a spike in network activity but would like to see the top talkers for a given timeperiod. How can I view that info? I am using i2800 on 15.1.2.

Thanks.

application delivery

jaikumar_f5
Dec 10, 2020
Since you ask for the past, I think its doable with 2 options (from what I know), either with logging using an Irule or using the Analytics (AVR) module.
As you also called netstat, which is a real time data, not of past, I'll share few commands which I use, You can try these options,
Current Connections for a given VIP:
tmsh show sys connection cs-server-addr <VIP> | head -n -1 | tail -n +2 | awk '{print $1}'
You can add more filters like awk, cut, sort, uniq to find top source ip's consuming your respective vip.
Total Connections Count so far:
tmsh show ltm virtual <Virtual-name> | grep -E "Ltm::Virtual Server|Total Connections" | awk 'NR%2{printf "%s ",$0;next;}1' | awk '{print $3","$6}'
Live Connections Count on the box:
tmsh show ltm virtual all | grep -E "Ltm::Virtual Server|Current Connections" | awk 'NR%2{printf "%s ",$0;next;}1' | awk '{print $3","$6}'
Also you can use bigtop command,
bigtop -conn -once
Hope this helps.

3 Replies

jaikumar_f5
Noctilucent
Dec 10, 2020
When you say a given period, do you mean in the past or current traffic pattern. If current, you can use tmsh or bigtop commands.
Sharath413
Nimbostratus
Dec 10, 2020
I meant sometime in the past. Also, is there any way on F5 to view client session info like netstat -ap etc?
Do you know how I can get a list of client IP addresses to a virtual server?
- jaikumar_f5
  Noctilucent
  Dec 10, 2020
  Since you ask for the past, I think its doable with 2 options (from what I know), either with logging using an Irule or using the Analytics (AVR) module.
  As you also called netstat, which is a real time data, not of past, I'll share few commands which I use, You can try these options,
  Current Connections for a given VIP:
  tmsh show sys connection cs-server-addr <VIP> | head -n -1 | tail -n +2 | awk '{print $1}'
  You can add more filters like awk, cut, sort, uniq to find top source ip's consuming your respective vip.
  Total Connections Count so far:
  tmsh show ltm virtual <Virtual-name> | grep -E "Ltm::Virtual Server|Total Connections" | awk 'NR%2{printf "%s ",$0;next;}1' | awk '{print $3","$6}'
  Live Connections Count on the box:
  tmsh show ltm virtual all | grep -E "Ltm::Virtual Server|Current Connections" | awk 'NR%2{printf "%s ",$0;next;}1' | awk '{print $3","$6}'
  Also you can use bigtop command,
  bigtop -conn -once
  Hope this helps.

F5 Academy at AppWorld 2026

DevCentral News

Aswin MK - November 2025 Featured Member

DevCentral News

Introducing the F5 AI Assistant for BIG-IP

Technical Articles

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5