For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cdurski_171657's avatar
cdurski_171657
Icon for Nimbostratus rankNimbostratus
12 years ago

View entire connection through F5

I want to see what happens when a specific IP connects to a virtual server IP, and then is sent to the real server nodes in the pool -- or if it is not I want to see why. How do I track one connection to see any issues or to see the detail of a working connection?

 

application delivery
LTM
management

5 Replies

  • afedden_1985's avatar
    afedden_1985
    Icon for Cirrus rankCirrus
    12 years ago

    You didn't say how you wanted this information so I will just throw this out there. We use this method with wireshark to display the tcpdump. The new version 11.2 feature –p captures the peer server side connection with just the client ip in the command! This link has more details http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html This example shows how the command looks with a single client.

     

    tcpdump -ni 0.0:nnnp -s 0 host 10.6.160.92 -w /var/tmp/test1.pcap OR Note, with the “-p” flag, you can narrow down by all traffic to that VIP as well if you put tcpdump -ni 0.0:nnnp -s 0 host and port -w /var/tmp/traffic_to_vip.pcap Example. tcpdump -ni 0.0:nnnp -s 0 host 1.1.1.1 and port 443 -w /var/tmp/traffic_to_vip.pcap

     

    • cdurski_171657's avatar
      cdurski_171657
      Icon for Nimbostratus rankNimbostratus
      12 years ago
      Looks good to start. Will that just show the connection on one side of the F5, or is it going to give me the entire conversation through the F5? How can I then export that pcap for analysis in a pcap tool? I'm not good with linux.
    • cdurski_171657's avatar
      cdurski_171657
      Icon for Nimbostratus rankNimbostratus
      12 years ago
      If I want to see a source of 198.192.180.75 connecting to VIP of 10.205.250.137 would that command look like this: cpdump -ni 0.0:nnnp -s 198.192.180.75 host 10.205.250.137 -w /var/tmp/test1.pcap Also, starting and stopping the capture... how do I do that? Sorry for being noobish
  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    12 years ago

    Hitting the return key after the command string above will start the capture. Holding Ctrl, while also pressing the "c" key will stop the capture. Ctrl-c can be used to terminate many other processes as well.

     

  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus
    12 years ago

    If you want to examine connection details while the connection is live/active, you can run the tmsh show sys connection command:

    show sys connection cs-client-addr (client-IP-address) cs-server-addr (virtual-server-address)

    This will show the connection through to the pool member, but will only show currently-open connections. You can append "all-properties" to the command to get additional connection detail