have you tried tcpdump?
for irule, to get payload i understand you need collect it using TCP::collect.
TCP::collect wiki
https://devcentral.f5.com/wiki/iRules.tcp__collect.ashx
e.g.
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.79:80
ip protocol 6
rules myrule
}
[root@ve10:Active] config b pool foo list
pool foo {
members 200.200.200.101:80 {}
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
log local0. ""
TCP::collect
}
when CLIENT_DATA {
log local0. ""
log local0. [TCP::payload]
TCP::release
TCP::collect
}
when SERVER_CONNECTED {
log local0. ""
log local0. "clientside [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
log local0. "serverside [IP::local_addr]:[TCP::local_port] -> [IP::remote_addr]:[TCP::remote_port]"
TCP::collect
}
when SERVER_DATA {
log local0. ""
log local0. [TCP::payload]
TCP::release
TCP::collect
}
}
[root@ve10:Active] config tail -f /var/log/ltm
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule :
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule :
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule : HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */*
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule :
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule : clientside 172.28.19.251:36022 -> 172.28.19.79:80
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule : serverside 200.200.200.10:36022 -> 200.200.200.101:80
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule :
Jul 5 16:53:29 local/tmm info tmm[5111]: Rule myrule : HTTP/1.1 200 OK Date: Thu, 05 Jul 2012 09:05:28 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Content-Type: text/html; charset=UTF-8