Forum Discussion
NimbostratusTcpdump with Snat
Hi Mario,
A nice way to filter your tcpdumps on an F5 is: tcpdump -vnni 0.0:nnn -s0 '(host Client_IP and host Virtual_IP) or (host SNAT_IP and host Pool_member1) or (host SNAT_IP and host Pool_member2)' -w /var/tmp/capture.pcap
The "-v" in front of "nni" will enable you to see how many packets are being captured every second, in real-time, even when the output is going to a file. Also, this way of filtering restricts your SNAT communication only with the pool members belonging to the Virtual Server that you're trying to troubleshoot, so you should have a reasonable amount of traffic to work with.
NimbostratusPretty best to capture more packets in the buffer and use wireshark to view the logs. You can use below: tcpdump -A -s 65535 -x -vv -nni 0.0 host h.h.h.h -w /var/tmp/filename.pcap
To capture and analyze clientssl connections inbound to an F5, cd to directory /config/ssl.key and then run the following command from that directory
tcpdump -A -s 65535 -x -vv -nni VLAN_or_INTERFACE host x.x.x.x and host x.x.x.x -w /var/tmp/capture_file
[if you don't know the interface or vlan name, simply replace the field with 0.0] once stopped (using ctrl + C) use ssldump to read the conversation
ssldump -r /var/tmp/capture_file -d -k keyname_of_cert_used_in_ssl_profile.key Here the packet will be decoded and any errors will be seen . THis is pretty good for Mutual Authentication and SSL handshake troubleshooting.
