Forum Discussion
InquisitiveMai
Cirrostratus
Cirrostratustcpdump from client to VIP and Self Ip to Pool
What is the best way to capture traffic between
client <--> VIP and Self IP <--->Pool Members
I tried tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address> -w <file Location>
I captured packets with the the ip addresses above. How can we isolate or filter this traffic to identify which client side connection is associated which server side connection. Can we do something with the F5 ethernet trailer Low, Medium and High Details
Juergen_MangMVP
You can use tcpdump -nni 0.0:nnnp host <client ip address> to match both sides of the connection as documented in https://support.f5.com/csp/article/K13637
You can use the flowid to match the frontend and backend connections: https://support.f5.com/csp/article/K59414829
InquisitiveMaiThank you for your response. Because we are capturing traffic on any interface with tcpdump -i 0.0 option, should not it capture all the traffic including poolmembers and self Ip. Why would we still need p option? I see that p option may cause some high resource utlization. Is there any significance to use p option? Can't we just use the client ip without the p option and add the VIP and pool members option like below and then filter it out with the flow from clientside associated to serverside
tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address>
Hello,
As Juergen_Mang said, the "P" option allows you to capture both sides.
"you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end,"
Besides show the traffic in the wireshark using the flow option to isolate traffic as you need.
navigate to Statistics > Flow Graph, you will find an output similar to the below one that shows client side and server side:
BR,
Mohamed Salah
