Forum Discussion
Single tcpdump command for client and server side
Hi Experts
How can I write single tcpdump command to capture client side and server side traffic. In my case there is no SNAT, as server gateway is F5. I mean:
Client Side: To/From VIP <-> client AND Server Side: To/From pool member
Can I use any tcp flag or something?
Thanks
3 Replies
TimRiker - A) this is amazing.
B) I've asked our support-based moderators to take a look and see if we might cross-link your workaround into other places through support.
C) If you agree - I think it would be right to push this into the codeshare node as a "Solution" to the problem.I can take care of that for you if you like.
Lief- TimRiker
Cirrocumulus
I'm happy to have this exposed as "Solution". Perhaps with a shorter title.😀I edited the original.
I updated it with frac_digits(6); to get microseconds as the logger seems to support that.
Output from F5s does NOT appear to be RFC5424 compliant with this change. For example, I see an ascii level indicator which rfc5424 does not include. I'm looking into further validation.
The F5s should really have built in support to log in rfc5424 with short names, timezone and milli/microsecond information. Supporting only fqdn and only rfc3164 is pretty lame in this day and age.
There are a few F5 KB articles that recommend adding udp() to syslog include. udp() has been deprecated for a long time now. Any KB references that include that should be updated.
BIG-IP 15.1.10.3 includes syslog-ng 3.8.1 which no longer has reliable online documentation that I can find. If F5 is going to continue to ship this old version, they should at least post the documentation online. syslog-ng 3.8.1 shipped on Aug 19, 2016:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.8.1
Unfortunately, for now, I can't see to mark multiple items as Solution.
When I can I will do so for this comment as well.Thanks again Tim - very helpful.
- Jmtaylor
Moderator
We have validated this on Version 17.x and are working on other versions as well. Here is the link to the article.
Using use_fqdn(no) in syslog configuration still includes the hostname/FQDN in the logs. (f5.com) TimRiker - given that Jmtaylor was able to push this over into an actual Knowledge article (officially F5 supported) solution I'm less concerned with where it lives in DevCentral now. As long as it's discoverable.
I will mark a comment as the solution so that it gets that deserved lift as well.Thanks JMTaylor and HUGE thanks to you Tim for sharing this with the F5 Community.