Forum Discussion
NimbostratusTCPDump for capturing traffing between Virtual Server and Pool Members
Hi guys, glad to have this community to help me.
I want to ask what is the best way to capturing traffic between my servers going to a VS and specific pool members.
For example i have one pool with 3 pool members. I will describe as below :
- VS : 172.16.16.1
- Pool_HTTP with 3 members : 1. WEB_A : 10.10.10.11 2. WEB_B : 10.10.10.12 3. WEB_C : 10.10.10.13
And the thing is i want to use tcpdump to capture my server traffic (172.16.16.100) going to VS 172.16.16.1 with pool members of (10.10.10.11-12, except 10.10.10.13). I tried using tcpdump like this, and it doesn't seems to work.
tcpdump -ni 0.0 src host 172.16.16.100 and dst host 172.16.16.1 and "(dst host 10.10.10.11 or dst host 10.10.10.12)"
Thank you so much for your help. Cheers
Regards
Alkuin Melvin
10 Replies
Amine_KadimiMVP
Hi, Considering that F5 is a full proxy then you have two distinct client to server connections:
- first is (SRC:172.16.16.100 and DST:172.16.16.1),
- second is (SRC:X.X.X.X and DST:10.10.10.11 or 10.10.10.12), src depends on your SNAT configuration, if using automap then it is an F5 self IP.
So your tcpdump needs to have an "OR" to match both connections, you've set up and "AND". Something like:
tcpdump -ni 0.0 (src host 172.16.16.100 and dst host 172.16.16.1) or (dst host 10.10.10.11 or dst host 10.10.10.12)
Hannes_RappProblem is that for the serverside connection, the source IP is your VS IP (or SNAT IP if you use), therefore, nothing will be captured by your filter.
Why not set up two concurrent captures and later compare them side by side for the complete flow? If someone has any better ideas to get it in a single filter capture, please let me know!
tcpdump -i VLAN-EXTERNAL 'src host 172.16.16.100 and dst host 172.16.16.1' -w ext.pcap tcpdump -i VLAN-INTERNAL 'src host 172.16.16.1 and (dst host 10.10.10.11 or dst host 10.10.10.12)' -w int.pcap
IRONMANCirrostratus
Are you sure , in Server Side , the Source IP for capture (172.16.16.1), which is VIP IP,without SNAT, As per me, it should be client Source IP?
But i am confused. please confirm?
Hannes_Rapp_162Nacreous
Problem is that for the serverside connection, the source IP is your VS IP (or SNAT IP if you use), therefore, nothing will be captured by your filter.
Why not set up two concurrent captures and later compare them side by side for the complete flow? If someone has any better ideas to get it in a single filter capture, please let me know!
tcpdump -i VLAN-EXTERNAL 'src host 172.16.16.100 and dst host 172.16.16.1' -w ext.pcap tcpdump -i VLAN-INTERNAL 'src host 172.16.16.1 and (dst host 10.10.10.11 or dst host 10.10.10.12)' -w int.pcap- IRONMAN
Are you sure , in Server Side , the Source IP for capture (172.16.16.1), which is VIP IP,without SNAT, As per me, it should be client Source IP?
But i am confused. please confirm?
Alkuin_Melvin_1Hi, thanks for helping me out. It looks like you're right guys, i think i need to do a separate capture, one for client side and another one for server side. For now i will do that, great. However I am still looking if someone has the way to capture the packets using a single capture.
- Amine_KadimiHi, as I mentioned before, using the OR logic in your filter will let you capture both connections in a single tcpdump job
- Alkuin_Melvin_1
Sorry, double post :)
- nathe
Cirrocumulus
Alkuin
This may help use tcpdump and identify client and server side traffic: see Capturing internal TMM information with tcpdump.
Also, a tcpdump i've used in the past to ensure that we can capture the serverside traffic when SNATing is (not using the noise levels outlined in the post above, however):
tcpdump -nni 0.0 '(src host client_ip and dst host vip) or (src host snat_ip and dst host poolmember_ip) or (src host snat_ip and dst host poolmember2_ip)'Hope this helps further,
N
Anuj_Chaudhary_use -nni..
