For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_40733's avatar
Jason_40733
Icon for Cirrocumulus rankCirrocumulus
Nov 08, 2011

Tracking server side IPs using an external SNAT translation?

We have a fairly straight forward setup on our LTM.

 

 

There is an external SNAT address that is generating lots of traffic to an application that is due to be decommissioned. Any servers on our internal side of the LTM are allowed to use this SNAT. Many systems use the Server side LTM IPs as their default gateway for large amounts of legitimate traffic as well as the traffic to the application which will be decommed.

 

 

Is there a way to track server side clients using the LTM as a default gateway to see which are generating traffic to the specific application that is to be decommed? I've tried several tcpdumps but perhaps my 'dump-fu' isn't sufficient to come up with the appropriate parameters to identify the offending traffic. If I grab only traffic to the ultimate destination of the traffic, I only see the SNAT ip of the LTM. If I only grab the traffic from the available self-ips on the server side, I cannot differentiate legitimate traffic from the application traffic I wish to locate ( LDAP ) .

 

 

 

Has anyone come across a similar situation or is there another way to look at the problem?

 

 

 

Our hosts are scattered and managed by many different groups, each with very limited control of their environments, otherwise we would simply have people check their equipment or be prepared for an outtage. As it is... any such move would most likely create customer impact.

 

 

 

 

Any help is greatly appreciated,

 

 

 

 

 

J

 

 

 

config
design

2 Replies

  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    Nov 08, 2011
    Help no longer needed. A nice lunch fixed the brain spasm.

     

     

    tcpdump -ni 0.0 host [to be killed VIP] and not [SNAT IP]

     

     

    Thanks for listening.

     

     

    J

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 08, 2011
    A few options:

     

     

    Create a forwarding VS for the destination host that you want to report on and use a new SNAT address for the traffic. You can then view the VS stats to check for conn rates, tcpdump to trace or an iRule to log client IPs.

     

     

    Check the connection table entry to see which client IPs are using the SNAT.

     

     

    Use the -i 0.0:nnn in your tcpdump to command to record the flows in the tcpdump:

     

    http://devcentral.f5.com/wiki/AdvDesignConfig.F5WiresharkPlugin.ashx

     

     

    Aaron