For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cdurski_171657's avatar
cdurski_171657
Icon for Nimbostratus rankNimbostratus
Sep 25, 2014

View entire connection through F5

I want to see what happens when a specific IP connects to a virtual server IP, and then is sent to the real server nodes in the pool -- or if it is not I want to see why. How do I track one connecti...
application delivery
LTM
management
afedden_1985's avatar
afedden_1985
Icon for Cirrus rankCirrus
Sep 25, 2014

You didn't say how you wanted this information so I will just throw this out there. We use this method with wireshark to display the tcpdump. The new version 11.2 feature –p captures the peer server side connection with just the client ip in the command! This link has more details http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html This example shows how the command looks with a single client.

 

tcpdump -ni 0.0:nnnp -s 0 host 10.6.160.92 -w /var/tmp/test1.pcap OR Note, with the “-p” flag, you can narrow down by all traffic to that VIP as well if you put tcpdump -ni 0.0:nnnp -s 0 host and port -w /var/tmp/traffic_to_vip.pcap Example. tcpdump -ni 0.0:nnnp -s 0 host 1.1.1.1 and port 443 -w /var/tmp/traffic_to_vip.pcap

 

cdurski_171657's avatar
cdurski_171657
Icon for Nimbostratus rankNimbostratus
Sep 25, 2014
Looks good to start. Will that just show the connection on one side of the F5, or is it going to give me the entire conversation through the F5? How can I then export that pcap for analysis in a pcap tool? I'm not good with linux.