Forum Discussion

dragonflymr's avatar
Icon for Cirrostratus rankCirrostratus
Feb 11, 2015

tcpdump excluding monitor traffic



Probably something obvious but I can't figure it out. Let's say: 1. We have standalone device. 2. There is only selfIP on internal (no floating as it's standalone) 3. Http VS has Automap set 4. Pool has default http monitor


So monitor traffic has the same source and destination IP and destination port as snated client traffic. So what filter can be used to just capture client traffic excluding monitor traffic. And I am not taking about full flow from client to server but only server side snated client traffic.




6 Replies

  • uni's avatar
    Icon for Altostratus rankAltostratus

    This has always been a pain. To help with this, I have try where possible to use a SNAT pool rather than automap. However, it's obviously too late for that now. You could do it with two passes through tcpdump. The first pass you capture traffic to the virtual IP and include the 😛 flag. You then filter the output of that to exclude the VS IP:

    tcpdump -i external:nnnp -s0 -w - host | tcpdump -r - -s0 not host

    Or, probably more usefully, save the capture from the first command, and process it afterwards:

    tcpdump -i external:nnnp -s0 -w /var/tmp/my.cap host
    tcpdump -r /var/tmp/my.cap -s0 not host

    That's off the top of my head, I haven't tested it. If it's not quite right, hopefully you get the idea.

  • Hi,


    I guess your suggestion about not using automap but rather separate SNAT pool (even with one IP) is most valuable. I was not thinking about it as a way to simplify troubleshooting but it seems to be a way to go - if there are any spare IP's to use.


    Going back to tcpdump examples. I am quite new in this area so to be sure:


    First dump is capturing complete flow so both client<->VIP and SNAT<->Server


    Second is removing all connections on client side


    Am I right? If so it seems to be quite useful method.




  • Hi Piotr,

    in the tcpdump expample provided by uni you will notice the usage of "-i" parameter to determine the interface.

    F5 has added some options to improve tracking traffic.

    Using interface 0.0 allows capturing traffic internally on all VLANs.

    The internal capture allows in addition the use of the "noise" flags, "nnn".

    Last but not least there is the "p" flag for interface definition to capture peer traffic.

    With the "p" flag you can set a filter on a clientside parameter, i.e. client IP or virtual server IP and the trace will include the related serverside traffic as well, SNATed or not. No worries about filtering out the monitoring traffic.

    Uni has also added the "-s" parameter for packet size specification. Set it to "0" to capture the full packet length. This will be necessary to dump the internal ethernet trailer information (aka "noise").

    To decode the "noise" in WireShark you may want to download the WireShark Plugin provided by F5.

    So the tcpdump would look like this:
    tcpdump -i 0.0:nnnp -s 0 -w /var/tmp/mytrace.cap host   

    This kind of trace will contain the serverside traffic as well. Feel free to add filters according to your specific needs.

    Thanks, Stephan
  • Hi Stephan,


    Thanks for explanation. I missed that external is used for -i. I am novice but already learned a bit about noise and p parameter :-) I am curious if -i external:nnnp will indeed catch full flow - both client and server side or just client side part? I had impression that to catch full flow 0.0 has to be used? As far as I understand, in case of using p parameter monitor traffic is automatically excluded, even if server ip is used for host parameter (let's say I do not know client IP or would like to catch all SNAT<->server traffic)


    Considering your example, to get just server side traffic from the dump I still need to use tcpdump -r /dump.cap not host ? I assume that in case of reading dump file using -i is not necessary or it is?




    • StephanManthey's avatar
      Icon for MVP rankMVP
      Hi Piotr, my example contains client- and serverside traffic but not the monitoring as it does not belong to the client initiated flow. If you specify the VIP as filter, you will get traffic of all clients including serverside traffic. You can apply filters when reading the raw dump on CLI. I prefer export to WireShark. Will go offline now. Thanks, Stephan
    • dragonflymr's avatar
      Icon for Cirrostratus rankCirrostratus
      Hi, Thanks a lot for pointing me to this great Wireshark article. It's really amazing how it simplifies analyzing F5 flows. Now I have to play around and use the trick to connect tcpdump output from VE to my Wireshark. Piotr