Forum Discussion
CirrusTCPDUMP in BigIP for traffic coming from distrbuited cloud.
Dears,
I have an internal BigIP WAF receiving the traffic redirected by F5 Distrbuited cloud, when i doing tcpdump, i can see only the traffic sourced from distrbuited cloud IP addresses, this is normal but it is impacting my troubleshotting tools in bigIP like tcpdump where i cant see the original IP address thus have more visibilty about the issues happening.
X-forward header is enabled from the distrbuited cloud side and trust xff enabled in WAF policy and http header but this help only with the WAF event logs, the original IP address logged in the security event logs, but this is not the case with the Tcpdump, i couldnt find anyway to capture the traffic using the IP in the x-forwarded header of the F5 XC?
Please can you help me if there is any workarounds?
Regards,
Muhannad
1 Reply
Hello Muhannad​
This is expected behavior
Unfortunately, tcpdump cannot natively use the XFF header as the packet source IP, because XFF is an HTTP header (Layer 7), while tcpdump filters operate on Layer 3 / Layer 4 information.
You could either capture the traffic with tcpdump and then inspect/filter the HTTP headers in Wireshark, or use an iRule to log the information you need.
