Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Running Wireshark captures from F5 BIG-IP

David_Holmes_12
Historic F5 Account

on ‎24-Sep-2013 12:40 - edited on ‎18-Mar-2022 10:04 by Community Manager

0151T000003d5uCQAQ.jpgMy colleague, Simon Kowallik, recently posted something really cool to our internal message boards. It started with the question:

“Have you ever wanted to run captures with Wireshark on BIG-IP?”

Answer: Yes, for like twelve years I wanted to do this!

In the post below, Simon shows us how to use the packet tracing tool Wireshark (or any other tool that reads pcaps from tcpdump) directly with BIG-IP using only some slight of hand.

Anyway, I thought this was so awesome that it deserved wider audience so here it is, republished with Simon’s permission. Have fun!

Posted by Simon Kowallik in on Jul 7, 2013 9:02:38 AM

We actually can do that without installing X, wireshark and hundreds of libraries on BIG-IP. Which is not an option anyway. 🙂

There are a few things we need:

  • SSH access to the BIG-IP, bash or tmsh is fine
  • Proper SSH client on our Desktop, eg. OpenSSH or alternatives (putty & plink)

The trick is to launch an ssh session without a login shell and run tcpdump through it on the remote system making tcpdump write raw packets to STDOUT while piping it to our local wireshark reading from STDIN.

Here are two examples:

cygwin on Windows

# ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | 
/cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -

Linux

# ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
/usr/bin/wireshark -k -i -

Windows CMD with plink (download from putty homepage):

plink.exe -l root -pw default 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
"c:\Program Files\Wireshark\wireshark.exe" -k -i -

I think you can figure out how it works. If not, here are a few hints:

  • Tcpdump's option -w with - as an argument writes to STDOUT instead of a file
  • Wireshark's -i option reads from an interface, - as an argument makes STDIN the interface.
  • STDIN/STDOUT is represented by - on most platforms.

Caveats

Tcpdump does buffer the output when writing to a file (our STDOUT in our case), which unfortunately means it might take some time until we can see the traffic in wireshark. Tcpdump offers options to influence the buffering however this is not implemented in our version of Libpcap (tested on 11.4HF1).

This is especially annoying if we want to capture low volume traffic. What we could do is capturing icmp echo requests+replies additionally to the traffic we are interested in, and remove them again with the wireshark display filter. Then start a ping to push the interesting packets to wireshark faster.

Words of warning

You are piping the whole packet capture through ssh, so make sure you define your tcpdump filter reasonable, otherwise bad things might happen.

Connect with David: Connect with F5:
0151T000003d5QFQAY.png 0151T000003d5QGQAY.png 0151T000003d5QHQAY.png 0151T000003d5QIQAY.png   0151T000003d5QHQAY.png 0151T000003d5QIQAY.png 0151T000003d5QLQAY.png 0151T000003d5QMQAY.png
0 Kudos
Comments
JRahm
Community Manager
Community Manager
‎24-Sep-2013 13:13
sweetness!
0 Kudos
LyonsG_85618
Cirrostratus
Cirrostratus
‎25-Sep-2013 14:56
Awesom....very useful solution.
0 Kudos
Chris_FP
Cirrus
Cirrus
‎26-Sep-2013 08:00
It works like a dream with the full installed version of WireShark but I was unable to get it to work with WireShark Portable. Not sure what the differences are, be nice to know what I'd need to do to fix it so it does.
0 Kudos
LEON_LI_38034
Nimbostratus
Nimbostratus
‎26-Sep-2013 18:59
COOL!!!!!
0 Kudos
netvis_66639
Nimbostratus
Nimbostratus
‎28-Sep-2013 13:38
Great article. In cases where you don't yet know what tcpdump filter you want to apply, you can use the sFlow packet sampling capability in 11.4 with Wireshark to get an overview that will help select sensible filters:

 

 

http://blog.sflow.com/2011/11/wireshark.html
0 Kudos
Don_Flinspach_1
Historic F5 Account
‎07-Oct-2013 21:59
While the buffering option (-U, for the curious) that David mentions as not being supported by F5’s supplied version of libpcap, the -l flag (line buffering) certainly seems to be. This seems to show all but the last line captured, so the output is a little more immediate. YMMV, of course, but this was tested in 11.4.0 and 11.4.1.
0 Kudos
Simon_Kowallik1
Historic F5 Account
‎28-Nov-2013 22:44
@Chris: For wireshark portable look for the real wireshark.exe. The WiresharkPortable.exe is just a wrapper which is invoking the real one.

 

You should find the wireshark.exe in .\App\Wireshark\ within your portable installation folder.
0 Kudos
Brian_Mayer_841
Nimbostratus
Nimbostratus
‎09-Jun-2014 12:48
Awesome article, saves me a step when doing my packet captures! Thank you so much, Simon/David.
0 Kudos
dtooke_164654
Nimbostratus
Nimbostratus
‎23-Jul-2014 14:38
Nice. I like the idea, still trying to get it to work though.
0 Kudos
akshaykkapoor_1
Nimbostratus
Nimbostratus
‎14-Dec-2014 05:33
awesome work ..
0 Kudos
Ilya_Chernyakov
Historic F5 Account
‎15-Dec-2014 06:34
;-[] no more black screens!
0 Kudos
aspindler34_133
Nimbostratus
Nimbostratus
‎06-Jan-2015 09:42
This is absolutely fabulous! I am going to add this to my arsenal.
0 Kudos
mike_mccracken1
Nimbostratus
Nimbostratus
‎01-Feb-2016 05:50
Love it
0 Kudos
Anirban
Nimbostratus
Nimbostratus
‎07-Jun-2023 09:59

I am capturing packet in a client where I can see backend pool member communicating with client directly.

Client---f5 vip--pool member---client via F5

Backend pool member gw=f5 ip

Is this right behaviour? 

0 Kudos
Version history
Last update:
‎18-Mar-2022 10:04
Updated by:
Community Manager
Copyright © 2023 Khoros, LLC