How to Determine Public IP when using a AutoMap SNAT with TCPDUMP?

All,

 

I have a situation where I am trying to determine the Client IP when using AutoMaP on my VIP.

 

I can find the packets I am interested in as they pass from the AutoMap IP to the Pool Members using TCPDUMP.

 

Obviously the SRC IP in my captures always show the F5 AutoMap IP. Is there any way to follow sequence numbers or something else that would reveal the packet as it came to the VIP, if I have packet info going to the Pool Members?

 

What is odd is that I find the packets with Source of the AutoMap and Destination of pool members (not always the same member). In the packet details I find the info I am looking for in this case an FTP login attempt that fails. But if I filter my TCPDUMP using the VIP I never find any of the same kind of payload I see when I filter on the bad login attempt that happens over and over.

 

What could I be missing, at first I thought someone internal was going directly to the server, but if that were true I would expect to see that LAN clients IP instead of the AutoMap... hmmm unless they are in a different subnet and still needing AutoMap. That of course takes me back to the original question... how the heck to I match up capture data coming to a pool member with data coming into VIP?

 

Hopefully this is not stupid.. I figure there has to be away And no, we can't turn of AutoMap for use X-Forward etc. as this is FTP.

 

I am happy to provide capture detail if needed.

 

Raymond