For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MOHIT_125417's avatar
MOHIT_125417
Icon for Altostratus rankAltostratus
Aug 15, 2016

How to analyze Loadbalancer packet trace through Wireshark

Dear Exeperts,

 

I am between one issue where i need to analyze the packet trace captured from Loadbalancer & i need to analyze the same through Wireshark.

 

Kindly suggest me the resources/guides on how to analyze packet traces in wireshark.

 

application delivery
LTM

3 Replies

  • janholtz's avatar
    janholtz
    Icon for Altostratus rankAltostratus
    Aug 15, 2016

    F5> tcpdump -s0 -nnvvi 0.0 host -w /tmp/trace.pcap WinSCP > copy trace.pcap local *nix > scp user@f5:/tmp/trace.pcap /tmp/

     

    Wireshark: Open file: trace.pcap.

     

    Helping?

     

  • janholtz's avatar
    janholtz
    Icon for Altostratus rankAltostratus
    Aug 16, 2016

    Duplicate ACKS/RESETS indicates a L2 issue, switching and / or routing. Do you have LACP enabled? Also, you can try to create a fastL4 vs (if you dont need ssl termination / content based routing etc). Create a FastL4 profile with Loose initiation / loose close / NO reset on timeout. Apply this profile to the vs used above.

     

    You now have a VERY stupid L4 load balancer / router, that does virtually nothing to the traffic (doesn't even terminate TCP).

     

    See if that performs better...

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 16, 2016

    You might want to have a look at the following:

     

    https://devcentral.f5.com/wiki/AdvDesignConfig.F5WiresharkPlugin.ashx

     

    https://devcentral.f5.com/articles/getting-started-with-the-f5-wireshark-plugin-on-windows

     

    .