Forum Discussion
AltostratusHow to prove non-http traffic?
Hello Folks,
Customer has approximately 80 HTTP/HTTPs Virtual servers configured on his BIG-IP appliance, and it is showing the following log message under LTM log.
http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERSBy looking into Dev-central and AskF5, I got to know that such message may appear if your HTTP VS are receiving response that includes a Content-Length header indicating a smaller value than the length of the data in the response.
or
Another common cause of this error message is an extra HTTP 100 Continue message, which may be included in a POST response by Microsoft Internet Information Services (IIS) version 6.0.
However, is there a way to prove which VS is particularly receiving non standard traffic? Except TCPDUMP, because capturing traffic on all the VS will generate plenty of logs. Or if there is a way to use intelligent iRule to capture non-standard traffic?
Cheers! Darshan
11 Replies
- nitass
Employee
is there a way to prove which VS is particularly receiving non standard traffic? Except TCPDUMP, because capturing traffic on all the VS will generate plenty of logs. Or if there is a way to use intelligent iRule to capture non-standard traffic?
i am afraid you need tcpdump.
swo0sh_gt_13163Aww snap! I don't mind using TCPDUMP, the only challenge is, there are many HTTPS VS, in fact almost HTTPs VS. It would be quite tedious to generate PMS one by one for each HTTPs VS (all of them are offloading to F5) and load it to Wireshark for investigation.
Any other suggestion?
- nitassi normally run tcpdump with -C and -W options and hope issue (log) is happening during the capture.
- swo0sh_gt_13163
Yes, but again the challenge for HTTPs will remain same, right?
- nitassyes
- swo0sh_gt_13163
Tough call for me. As roughly there are 60+ HTTPs VS and offloading is happening on F5. Can I use RingDump sort of thing? Which keeps rotating captures with the value defined with -c parameter until we get log for the "LTM message we are expecting" and stopped once it sees the message?
Should it work?
Cheers!
- nitass
Can I use RingDump sort of thing? Which keeps rotating captures with the value defined with -c parameter until we get log for the "LTM message we are expecting" and stopped once it sees the message?
e.g.
Run tcpdump on event by Brent Blood
https://devcentral.f5.com/wiki/iCall.Run_tcpdump_on_event.ashx?lc=1 - swo0sh_gt_13163
Thanks Nitass,
The script looks reactive, can it be pro-active? Rather waiting for the occurrence to happen, can we always run the TCPDUMP, let's 5 copies should be saved under /var/tmp and each copy should have 1000 packets (using -c), and when it sees the particular message, stop the script after getting another 1000 packets, to capture the complete the flow.
Possible?
Thanks,
- nitassi think you can run tcpdump continuously using -C (capital c) and -W (capital w) and stop tcpdump when seeing log message using icall or /config/user_alert.conf.
kunjanNimbostratus
How about kill tcpdump upon the grep
tcpdump -i 0.0:nnn -C10 -W 5 -s0 -w /var/tmp/error.pcap & tail -n1 -f /var/log/ltm| grep -q 'http_process_state_prepend' && killall tcpdump &- swo0sh_gt_13163
I will try this Nitass, and update the thread. Cheers!
