Forum Discussion
jdscrymgeour_42
Oct 18, 2011Nimbostratus
TCP Logging all traffic
My rule is basically the same as the below:
when CLIENT_ACCEPTED {
TCP::collect
{
when CLIENT_DATA {
set DATA [TCP::payload]
log local0. "TCP DATA: $DATA"
TCP::release
TCP::collect
}
The problem is that the client accpted event occurs capturing the initial packet, however the client stays connected for multiple packets and the TCP::collect within CLIENT_DATA does not seem to trigger the CLIENT_DATA event again!
UDP works very nicely just collecting each packet sent because it is connectionless, however my issue is with TCP and I cannot change this!
Any advise would be greatly appreciated
THanks
James
- nitassEmployeehow do you know CLIENT_DATA is not triggered again?
[root@iris:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.17.33:http ip protocol tcp rules myrule } [root@iris:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { set DATA [TCP::payload] log local0. "[IP::client_addr]:[TCP::client_port]|$DATA" TCP::release TCP::collect } } [root@iris:Active] config tail -f /var/log/ltm Oct 18 22:01:06 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Host: 172.28.17.33 Connection: Keep-Alive Oct 18 22:01:06 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1 Accept: */* Referer: http://172.28.17.33/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Host: 172.28.17.33 Connection: Keep-Alive Oct 18 22:01:09 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Host: 172.28.17.33 Connection: Keep-Alive Oct 18 22:01:09 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1 Accept: */* Referer: http://172.28.17.33/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Host: 172.28.17.33 Connection: Keep-Alive Oct 18 22:01:10 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Host: 172.28.17.33 Connection: Keep-Alive Oct 18 22:01:10 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1 Accept: */* Referer: http://172.28.17.33/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Host: 172.28.17.33 Connection: Keep-Alive
- jdscrymgeour_42NimbostratusThanks for your response,
- jdscrymgeour_42NimbostratusThe easiest way to recreate my problem is using netcat or similar, sending the data to the virtual server, the basic TCP construction looks like this::
- nitassEmployeeis there anything i missed?
[root@iris:Active] config tcpdump -nni 0.0 host 172.28.17.33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 23:50:28.529287 IP 192.168.206.102.54942 > 172.28.17.33.80: S 2036798734:2036798734(0) win 8192 23:50:28.529372 IP 172.28.17.33.80 > 192.168.206.102.54942: S 3173404814:3173404814(0) ack 2036798735 win 3780 23:50:28.529793 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 1 win 16695 23:50:28.529964 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1:369(368) ack 1 win 16695 23:50:28.532768 IP 172.28.17.33.80 > 192.168.206.102.54942: P 1:455(454) ack 369 win 4148 23:50:28.577702 IP 192.168.206.102.54942 > 172.28.17.33.80: P 369:745(376) ack 455 win 16581 23:50:28.578787 IP 172.28.17.33.80 > 192.168.206.102.54942: . 455:1715(1260) ack 745 win 4524 23:50:28.578795 IP 172.28.17.33.80 > 192.168.206.102.54942: P 1715:1915(200) ack 745 win 4524 23:50:28.578868 IP 172.28.17.33.80 > 192.168.206.102.54942: . 1915:3175(1260) ack 745 win 4524 23:50:28.579125 IP 172.28.17.33.80 > 192.168.206.102.54942: . 3175:4435(1260) ack 745 win 4524 23:50:28.579200 IP 172.28.17.33.80 > 192.168.206.102.54942: . 4435:5695(1260) ack 745 win 4524 23:50:28.579204 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 1915 win 16695 23:50:28.579483 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 4435 win 16695 23:50:28.792018 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 5695 win 16695 23:50:28.792059 IP 172.28.17.33.80 > 192.168.206.102.54942: P 5695:6178(483) ack 745 win 4524 23:50:28.806251 IP 192.168.206.102.54942 > 172.28.17.33.80: P 745:1094(349) ack 6178 win 16574 23:50:28.808325 IP 172.28.17.33.80 > 192.168.206.102.54942: P 6178:6681(503) ack 1094 win 4873 23:50:28.817967 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1094:1473(379) ack 6681 win 16448 23:50:28.819720 IP 172.28.17.33.80 > 192.168.206.102.54942: P 6681:7184(503) ack 1473 win 5252 23:50:29.025972 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 7184 win 16695 23:50:31.062463 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1473:1952(479) ack 7184 win 16695 23:50:31.063793 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7184:7364(180) ack 1952 win 5731 23:50:31.082003 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1952:2441(489) ack 7364 win 16650 23:50:31.083102 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7364:7546(182) ack 2441 win 6220 23:50:31.303244 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 7546 win 16604 23:50:32.214973 IP 192.168.206.102.54942 > 172.28.17.33.80: P 2441:2920(479) ack 7546 win 16604 23:50:32.216448 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7546:7726(180) ack 2920 win 6699 23:50:32.231074 IP 192.168.206.102.54942 > 172.28.17.33.80: P 2920:3409(489) ack 7726 win 16559 23:50:32.232224 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7726:7908(182) ack 3409 win 7188 23:50:32.426229 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 7908 win 16514 30 packets captured 30 packets received by filter 0 packets dropped by kernel [root@iris:Active] config cat /var/log/ltm Oct 18 23:54:16 local/tmm notice tmm[4601]: 013e0001:5: Tcpdump starting bcast on :::0 from 127.1.1.1:58858 Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET / HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /dog.gif HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://172.28.17.33/ Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /favicon.ico HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /favicon.ico HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Oct 18 23:54:22 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET / HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Cache-Control: max-age=0 Oct 18 23:54:23 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /dog.gif HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://172.28.17.33/ If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Cache-Control: max-age=0 Oct 18 23:54:24 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET / HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Cache-Control: max-age=0 Oct 18 23:54:24 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /dog.gif HTTP/1.1 Host: 172.28.17.33 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://172.28.17.33/ If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Cache-Control: max-age=0 Oct 18 23:54:28 local/tmm notice tmm[4601]: 013e0002:5: Tcpdump stopping on 127.1.1.2:1042 from 127.1.1.1:58858
- jdscrymgeour_42Nimbostratusyou mean other than yours working and mine not?!
- jdscrymgeour_42NimbostratusThe issue with my connection is that when the TCP::release command is invoked it is dropping the TCP connection between the virtual server and my client, instead of just releasing the collected data and getting ready to process the next data the virtual server is actually sending a RST ACK to the client closing the connection, is there a way to stop this?
- nitassEmployeewould you mind posting the virtual server config here?
- jdscrymgeour_42NimbostratusAll of the settings are default, for a tcp server using the standard tcp profile. sorry I dont know how to export this as text!
- nitassEmployeeis it http traffic? is there any error in log while sending?
- jdscrymgeour_42NimbostratusIt is not http traffic it is more like telnet/netcat as above straight ascii TCP messages, and there is no error log, I think the issue is that the following happens:
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects