Taking a network capture with BIG-IP Edge Client running

A few years ago, winpcap made a change that made it impossible to capture from any Dial-Up adapter. The APM client uses this sort of adapter to create the VPN connection.

While Wireshark is not an option, you can use Microsoft's Netmon to capture from the Dial-Up adapter, then analyze the data in Wireshark or Netmon (Wireshark can load up Netmon captures). Netmon has some advantages in that the dissectors are better for Microsoft-centric protocols such as RDP, SMB, and Kerberos. And it also will tell you the name of the Windows binary that is creating the traffic.

For the sake of completeness of this response: You can also capture this traffic (as you've mentioned) on the APM itself by using "tcpdump -i ".

Keep in mind also that there are two parts of this traffic: DNS and Traffic. The Edge Client has a "DNS Relay Proxy" components that proxies DNS requests/responses. If you find some problem that seems to be related to this, try either disabling the DNS Relay Proxy System Service or adjusting the DNS split settings in the Network Access object. We recommend to usually leave the DNS split at "*", meaning "resolve everything over the tunnel". This doesn't impact the traffic after the DNS, just the DNS itself.