Tracking server side IPs using an external SNAT translation?
There is an external SNAT address that is generating lots of traffic to an application that is due to be decommissioned. Any servers on our internal side of the LTM are allowed to use this SNAT. Many systems use the Server side LTM IPs as their default gateway for large amounts of legitimate traffic as well as the traffic to the application which will be decommed.
Is there a way to track server side clients using the LTM as a default gateway to see which are generating traffic to the specific application that is to be decommed? I've tried several tcpdumps but perhaps my 'dump-fu' isn't sufficient to come up with the appropriate parameters to identify the offending traffic. If I grab only traffic to the ultimate destination of the traffic, I only see the SNAT ip of the LTM. If I only grab the traffic from the available self-ips on the server side, I cannot differentiate legitimate traffic from the application traffic I wish to locate ( LDAP ) .
Has anyone come across a similar situation or is there another way to look at the problem?
Our hosts are scattered and managed by many different groups, each with very limited control of their environments, otherwise we would simply have people check their equipment or be prepared for an outtage. As it is... any such move would most likely create customer impact.
Any help is greatly appreciated,
J