on 09-Dec-2014 14:04
1. Download and install Wireshark:
2. Extract f5ethtrailer.dll from the appropriate folder for your system. For my Wireshark 1.10 64-bit installation, that folder is Win64_WS1-10-2.
3. Copy the file to the Wireshark plugins folder (on my system, it is C:\Windows\Program Files\Wireshark\plugins\1.10.11)
3. Launch Wireshark. Go to Help->About Wireshark. Click the Plugins tab. The f5ethtrailer.dll should be listed.
In order to utilize the Wireshark plugin, you need to flag the tcpdump command appropriately with -s0 and setting the level of noise by flagging the interface with a colon followed by a single, double, or triple n for, respectively, low, medium, and high details. For example:
tcpdump -s0 -ni vlan
:nnn
-w/var/tmp/filename
.pcap
The basic information for each noise level is below. For greater details, please reference Solution 3637.
So what does the package capture look like once loaded into Wireshark? Well, first off, you'll notice an INFO frame that provides not only the hostname and platform information of the BIG-IP the packet capture was taken from, but also the tcpdump parameters that were set.
Next, take a look at a packet that is actually hitting a virtual server:
Here, you can see that the packet is being handled by TMM 1 and is hitting the /Common/tesvip virtual server. Also useful is the flow ID, which allows you to bind the front-end client connection with the associated back-end connections. You can either right-click the flow ID and select Apply as Filter and then Selected:
Or, you can just set the filter manually in the filter field (f5ethtrailer.flowid == 0x0000570075cfd200):
John T, one of our excellent engineers, suggested that you should use the f5ethtrailer.anyflowid filter if you're going to type it out as that will get you packets where that flow id is the flowid OR the peerid, resulting in getting both the client and server side of the connection. John is also the source of much of the rest of this article, so hat tip his way!
Starting in version 1.9 of the plugin, you can also select from a few F5 conversation filters (as appropriate) directly in the menu:
This is a shortcut for:
(ip.addr eq 192.168.101.1 and ip.addr eq 192.168.101.51 and tcp.port eq 61843 and tcp.port eq 80) or \ (f5ethtrailer.peeraddr eq 192.168.101.1 and f5ethtrailer.peeraddr eq 192.168.101.51 and f5ethtrailer.peerport eq 61843 \ and f5ethtrailer.peerport eq 80 and (f5ethtrailer.peeripproto eq 6 or (f5ethtrailer.peeripproto eq 0 and tcp)))
That's quite a shortcut! I can't imagine remembering all those switches, let alone typing it all without fat-fingering something.
You can filter on many other fields in the plugin, but hopefully this is a good launch point for you to get started with analyzing your BIG-IP traffic flows. Happy analysis!
[1] Missing Trailers / Low Noise: If you are missing the Low details of the trailer for some packets (typically short packets), try modifying the settings for the Ethernet dissector. Go to "Edit/Preferences...", expand "Protocols" on the left and select "Ethernet". Disable "Assume short frames which include a trailer contain padding".
Starting in BIG-IP v14.1.0, if that preference is enabled, trailers, not just low noise, will be missing on short packets.
Plugin is working with Wireshark-win64-2.0.7, Wireshark-win64-2.0.6, Wireshark-win64-2.0.5 When you performing update 2.0.x 64bit, then do not forget copy plugin file (wireshark-plugin.f5ethtrailer.bin.1.11.zip\Win64-2.0.1\f5ethtrailer.dll) to new plugin folder, currently "c:\Program Files\Wireshark\plugins\2.0.7\"
WireShark 2.2.1 is released. And Since 2.05 the updated Windows plugin doesn't work on 32-bit. Apparently 64bit works on 2.05, 06, 07....But nothing works for 2.2.0 or 2.2.1
Is there a doc that explains how to compile, step by step, so we can do this and not have to wait for F5 guys to do it?
Wow. I looked and I admit defeat. How does that create the f5plugin.dll file? I think I got lost at Chocolatey. lol. Kudos to whoever processes that for the rest of us. I wonder if a script could be run to make it easier.
If possible I would also like the a working plugin for 32-bit on Wireshark 2.2
This is the error I get running Wireshark from a command line with the 32-bit plugin:
09:43:46 Err Field 'VIP' (f5ethtrailer.vip) is a FT_ABSOLUTE_TIME but is being displayed as BASE_NONE instead of as a time
Sorry, forgot to update here but the wireshark page has had the code updates for a while now. My bad!
As of Wireshark 2.6 (rel. 4/24/2018) the f5ethtrailer is included as a built-in dissector. Wireshark 2.6.0 incorporated the 1.11b version of the dissector.
https://www.wireshark.org/news/20180424.html
It is disabled by default. To enable it, from the menu select "Anyalyze" : "Enabled Protocols...". Then search for f5ethtrailer and enable the dissector.