For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Felkor_29336's avatar
Felkor_29336
Icon for Nimbostratus rankNimbostratus
Feb 13, 2014

Run tcpdump regarding a match in a log file

Hello !

 

I'm looking for your help. I'm searching for a script which I have used onto a F5 some years ago. It was a script present on the F5 OS, not a specific script added manualy (in a v10.x version as far as I remember).

 

The goal of this script is to run a tcpdump during for a certain number of packets. When this number of packets is exceeded, the script will run automatically a new tcpdump, and check on a specified log file if there was a specific match. If a specific log was generated, the pcap file is conserved, if not, deleted.

 

This script was especially helpfull to be able to perform the capture of random events.

 

I have a random issue here, and I need this tool to be able to take a packet capture this way... however, even after grinding 2 hours in my mails, I wasn't able to find out the mail from F5 giving me the procedure and/or the name of the script !

 

If anyone have more informations for me, it would be great !

 

application delivery
log
LTM
management
tcpdump
TMOS

4 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Feb 13, 2014

    You should be able to login to F5's support portal and review all of your old support cases with all of the notes. Perhaps you will find it there?

     

  • Felkor_29336's avatar
    Felkor_29336
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2014

    Most certainly yes, but there is something like few hundreds of cases, so it's not that easy with only keywords like tcpdump or script ;)

     

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Feb 14, 2014

    I think you're referring to:

    /usr/share/ts/bin/find_error.pl

    It's a Perl script. Hopefully, you can read it and understand how to use it. I've never used it before myself, and I hate perl syntax 🙂

  • Felkor_29336's avatar
    Felkor_29336
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2014

    YES ! Thank you a lot, that's it. Very usefull script 🙂

    For anyone who is asking, this is the manual of the script and how to use it :

    USAGE:
./find_error.pl

    Mandatory arguments:

    -t, --token='Token'
    the token you are searching for

-l, --log_file='Log File'
    fullpath/filename of log file to use for logging

-p, --packet_num='Packet Number'
    the number of the packets to dump

-o, --output_file='Output File'
    fullpath/filename of the output file to use

    Optional arguments:

    --zip='zip tar file'
    to zip the final tar file

--nozip='do not zip tar file'
    not to zip the final tar file

-e, --expression='filter expression'
    filtering expression for tcpdump

-i, --interface='Interface'
    Default: 0.0

-s, --snap='Snap length'
    Default: 0

--nnn='use nnn to increasing amounts of internal debugging information appended to the end of each packet'
    Default: nnn

-h, --help='help'
    issue this help message.