For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Jul 30, 2015

SNATing makes tcpdump captures somewhat tricky, because you cannot (obviously) use source address to match the client- and server-sides of the flow. However if, during your testing, you have only a single flow active at a time, it is pretty easy. Reduce your pool to one member. Assuming it is a member only in that pool, then you would capture using:

tcpdump -nni 0.0 host  or host

So, if your VS address is 10.10.10.1 and your pool member is 172.16.254.100:

tcpdump -nni 0.0 host 10.10.10.1 or host 172.16.254.100

If you have more than one flow at a time, you'll need to add some higher layer information to match the flows. For example, you could something like Fiddler or Developer Tools on Chrome/Firefox to insert an arbitrary header (say X-Track, with an arbitrary value). That header will be proxied, and you can use it to match the client-side and server-side flows.