Forum Discussion

jdscrymgeour_42

Nimbostratus

Oct 18, 2011

TCP Logging all traffic

My rule is basically the same as the below:

when CLIENT_ACCEPTED {

TCP::collect

{

when CLIENT_DATA {

set DATA [TCP::payload]

log local0. "TCP DATA: $DATA"

TCP::release

TCP::collect

}

The problem is that the client accpted event occurs capturing the initial packet, however the client stays connected for multiple packets and the TCP::collect within CLIENT_DATA does not seem to trigger the CLIENT_DATA event again!

UDP works very nicely just collecting each packet sent because it is connectionless, however my issue is with TCP and I cannot change this!

Any advise would be greatly appreciated

THanks

James

11 Replies

jdscrymgeour_42
Nimbostratus
Oct 27, 2011
A work around for this is to never use the TCP::release command which I can get away with in my rule using a sideband connection in version 11. and using:

TCP::payload replace 0 [TCP::payload length]""

to empty the collected data.

THanks

James

Forum Discussion

TCP Logging all traffic

11 Replies

Recent Discussions

Ansible F5 imperative collection works with proxies, declarative collection doesn't

GSLB - Monitoring LTM VIP load balancing via iRule

Problems connecting to vpn after upgrading to ubuntu 24.04

How to Match Dynamic URI Segments in AS3

GCP F5 deployment - Active -Active with config Sync

Related Content

iRule to log traffic details

Log tcp Connections.

Log Tcp And Http Request Response Info

Forward traffic based on TCP Port - LTM Policy

F5 TCP Proxy mode