Getting Started with the F5 Wireshark Plugin on Windows

Note: As of Wireshark 2.6, this dissector is pre-bundled and does not need separate downloading and installation. Simply enable it via Analyze => Enabled Protocols => F5 Ethernet trailer => f5ethtrailer[1].

Installation

1. Download and install Wireshark:

• 01.09.00 (released 12/16/2014) - Version 1.9 of the plugin includes binaries for wireshark versions 1.8, 1.10, and 1.12 on linux and windows for the wireshark 32bit/64bit application.
• 01.10.00 (released 04/09/2015) - Version 1.10 of the plugin adds support for v12 and fixes a minor bug. Binaries for WS 1.8, 1.10, 1.12 for Win32, Win64, Linux32, and Linux64 included.
• 01.11.00 (released 06/04/2016) - Version 1.11 of the plugin adds support for Wireshark 2.0. Binaries for WS 1.10.2, 1.12.1, and 2.0.1 for Win32, Win64, Linux32, Linux64, and OS X included.
• 01.11.01 (released 03/20/2017) - Version 1.11.a (1.11.01 in the version list below) of the plugin adds support for Wireshark 2.2. Tested on versions:
  • Win32/Win64 - 2.2.4/2.2.5
  • Linux64 - 2.2.0/2.2.4/2.2.5
  • Linux32 - 2.2.0/2.2.4
  • OSX - 2.2.0/2.2.5
• 01.11.02 (released 09/25/2017) - Version 1.11.b (1.11.02 in the version list below) of the plugin adds support for Wireshark 2.4.

2. Extract f5ethtrailer.dll from the appropriate folder for your system.  For my Wireshark 1.10 64-bit installation, that folder is Win64_WS1-10-2.
3. Copy the file to the Wireshark plugins folder (on my system, it is C:\Windows\Program Files\Wireshark\plugins\1.10.11)

 

3. Launch Wireshark. Go to Help->About Wireshark. Click the Plugins tab. The f5ethtrailer.dll should be listed.

Usage

In order to utilize the Wireshark plugin, you need to flag the tcpdump command appropriately with -s0 and setting the level of noise by flagging the interface with a colon followed by a single, double, or triple n for, respectively, low, medium, and high details. For example:

tcpdump -s0 -ni vlan

:nnn

 -w/var/tmp/filename

.pcap 

The basic information for each noise level is below. For greater details, please reference Solution 3637.

• Low Details (:n) - The low details include ingress or egress flow direction, the slot and TMM handling the packet, and the vip, if applicable.
• Medium Details (:nn) - The medium details include the low details plus flow and peer IDs, and the F5 reset cause. The remaining fields in the medium details are likely only helpful to F5 support.
• High Details (:nnn) - The high details include the low and medium details plus all the related peer data, protocol, vlan associated with the flow, and local and remote addresses and ports. You'll want this setting for the F5 conversation menu items.

So what does the package capture look like once loaded into Wireshark? Well, first off, you'll notice an INFO frame that provides not only the hostname and platform information of the BIG-IP the packet capture was taken from, but also the tcpdump parameters that were set.

Next, take a look at a packet that is actually hitting a virtual server:

Here, you can see that the packet is being handled by TMM 1 and is hitting the /Common/tesvip virtual server. Also useful is the flow ID, which allows you to bind the front-end client connection with the associated back-end connections. You can either right-click the flow ID and select Apply as Filter and then Selected:

Or, you can just set the filter manually in the filter field (f5ethtrailer.flowid == 0x0000570075cfd200):

John T, one of our excellent engineers, suggested that you should use the f5ethtrailer.anyflowid filter if you're going to type it out as that will get you packets where that flow id is the flowid OR the peerid, resulting in getting both the client and server side of the connection. John is also the source of much of the rest of this article, so hat tip his way!

Starting in version 1.9 of the plugin, you can also select from a few F5 conversation filters (as appropriate) directly in the menu:

This is a shortcut for:

(ip.addr eq 192.168.101.1 and ip.addr eq 192.168.101.51 and tcp.port eq 61843 and tcp.port eq 80) or \
(f5ethtrailer.peeraddr eq 192.168.101.1 and f5ethtrailer.peeraddr eq 192.168.101.51 and f5ethtrailer.peerport eq 61843 \
and f5ethtrailer.peerport eq 80 and (f5ethtrailer.peeripproto eq 6 or (f5ethtrailer.peeripproto eq 0 and tcp)))

That's quite a shortcut! I can't imagine remembering all those switches, let alone typing it all without fat-fingering something.

You can filter on many other fields in the plugin, but hopefully this is a good launch point for you to get started with analyzing your BIG-IP traffic flows. Happy analysis!


[1] Missing Trailers / Low Noise: If you are missing the Low details of the trailer for some packets (typically short packets), try modifying the settings for the Ethernet dissector. Go to "Edit/Preferences...", expand "Protocols" on the left and select "Ethernet". Disable "Assume short frames which include a trailer contain padding".

Starting in BIG-IP v14.1.0, if that preference is enabled, trailers, not just low noise, will be missing on short packets.