Forum Discussion
jack_39736
Nimbostratus
Nimbostratustcpdump not showing all data
I have a test VIP that load balances to a single web server which I can connect to with no problem over port 80...I'm running version 10.0.1.
I turned up tcpdump to watch the traffic oome in and out on the F5 and it only shows a packet or two every couple of minutes no matter how many times I refresh the browser.
I have tried this same thing for other traffic and the F5 continues not to show all traffic through tcpdump.
The F5 device is not showing any errors on the interfaces, the memory is low and so is the connection count.
Can anyone shed some light on this problem?
thanks
Jack
- The_BhattmanHave you tried via cmd shell?
jack_39736I'm logged into the box over ssh using the admin account and running the tcpdump commands from the CLI, is there another way to do it?- The_BhattmanThere are only 2 ways to do it GUI or CLI, but the command line is the one that most sys admins prefer.
Bhattman - jack_39736yes, I'm using the CLI and tcpdump doesn't work correctly using this method, it doesn't show all the network packet and is very delayed when it does work. Anyone see this issue on their boxes?
I'm running 10.0.1
thanks
Jack - The_BhattmanHi Jack,
I am running 10.0.1 HF3 and the TCPDUMPs is working properly.
What do you normal enter as the parameters
Bhattman - hoolio
Cirrostratus
Do you see 'x packets dropped' when running the tcpdump command? If so, you could try to narrow down which packets you're trying to capture using more exact filters.
Or are you using a FastL4 profile? If so, the packets accelerated by the PVA would not be fully seen by TMM or tcpdump:
https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html
The tcpdump utility runs on the Linux Host CPU, which does not receive PVA-accelerated traffic. Therefore, virtual server traffic that is fully accelerated by the PVA chip will not be captured by tcpdump. The PVA chip resides on the switchboard, between the BIG-IP system's switch subsystem and the host motherboard.
The PVA handles accelerated traffic in the following order:
* The PVA receives accelerated traffic from the switch subsystem
* The PVA transforms the packet in order to redirect the packet to the appropriate pool member
* The PVA sends the packet back to the switch subsystem
Fully accelerated traffic never reaches the internal trunk and is not processed by TMM.
-------------
Running tcpdump on a switch interface is rate-limited to 200 packets per second. Therefore, if you run tcpdump on an interface that is processing more than 200 packets per second, the captured tcpdump file will not include all of the packets.
Aaron - jack_39736On this particular VIP, I am not using FastL4 but that's good to know that I won't see all packets when doing so. I am using the "tcp" profile for this VIP.
Here is my command and some of the output. I never see the "dropped packet" counter increment and I have tried several different swithces in tcpdump command line and all of them give me the same thing:
[admin@ct1-f51600corp-01:Active] ~ tcpdump -i 1.1 host 172.21.61.3 -s 1514 -l
00:33:28.295468 802.1Q vlan4094 P0 172.21.61.3.http > 172.21.73.42.4436: F 149:149(0) ack 477 win 4856 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.61.3.http > 172.21.73.42.4437: P 1:149(148) ack 480 win 4859 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.61.3.http > 172.21.73.42.4437: F 149:149(0) ack 480 win 4859 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.73.42.4436 > 172.21.61.3.http: . ack 150 win 64364 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.73.42.4437 > 172.21.61.3.http: . ack 150 win 64364 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.73.42.4436 > 172.21.61.3.http: F 477:477(0) ack 150 win 64364 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.61.3.http > 172.21.73.42.4436: . ack 478 win 4856 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.73.42.4437 > 172.21.61.3.http: F 480:480(0) ack 150 win 64364 (DF)
00:33:28.295468 802.1Q vlan4094 P0 172.21.61.3.http > 172.21.73.42.4437: . ack 481 win 4859 (DF)
177 packets received by filter
0 packets dropped by kernel - The_BhattmanYou could verify if PVA is enable on the virtual by b virtual and looking to see if PVA is turned on.
The somewhat slowness you can get around by simply using the tcpdump -i 1.1 host 172.21.61.3 -s 1514 -l
Just my 2 cents
Bhattman - jack_39736I just checked and I"m not running PVA on the interface however, I just reread this portion of a previous post which might explain my symbtoms:
"Running tcpdump on a switch interface is rate-limited to 200 packets per second. Therefore, if you run tcpdump on an interface that is processing more than 200 packets per second, the captured tcpdump file will not include all of the packets."
I'm not sure if I'm exceeding 200pps....is there a command that can tell me that?
thanks
jack - hoolioYou could also try dumping on the vlan name to avoid the interface limit:
tcpdump -i external host 172.21.61.3 -s 0 -l
Aaron
