on
24-Sep-2013
12:40
- edited on
18-Mar-2022
10:04
by
JRahm
My colleague, Simon Kowallik, recently posted something really cool to our internal message boards. It started with the question:
“Have you ever wanted to run captures with Wireshark on BIG-IP?”
Answer: Yes, for like twelve years I wanted to do this!
In the post below, Simon shows us how to use the packet tracing tool Wireshark (or any other tool that reads pcaps from tcpdump) directly with BIG-IP using only some slight of hand.
Anyway, I thought this was so awesome that it deserved wider audience so here it is, republished with Simon’s permission. Have fun!
Posted by Simon Kowallik in on Jul 7, 2013 9:02:38 AM
We actually can do that without installing X, wireshark and hundreds of libraries on BIG-IP. Which is not an option anyway. 🙂
There are a few things we need:
The trick is to launch an ssh session without a login shell and run tcpdump through it on the remote system making tcpdump write raw packets to STDOUT while piping it to our local wireshark reading from STDIN.
Here are two examples:
cygwin on Windows
# ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
/cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -
Linux
# ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
/usr/bin/wireshark -k -i -
Windows CMD with plink (download from putty homepage):
plink.exe -l root -pw default 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" |
"c:\Program Files\Wireshark\wireshark.exe" -k -i -
I think you can figure out how it works. If not, here are a few hints:
Caveats
Tcpdump does buffer the output when writing to a file (our STDOUT in our case), which unfortunately means it might take some time until we can see the traffic in wireshark. Tcpdump offers options to influence the buffering however this is not implemented in our version of Libpcap (tested on 11.4HF1).
This is especially annoying if we want to capture low volume traffic. What we could do is capturing icmp echo requests+replies additionally to the traffic we are interested in, and remove them again with the wireshark display filter. Then start a ping to push the interesting packets to wireshark faster.
Words of warning
You are piping the whole packet capture through ssh, so make sure you define your tcpdump filter reasonable, otherwise bad things might happen.
Connect with David: | Connect with F5: |
|
http://blog.sflow.com/2011/11/wireshark.html
You should find the wireshark.exe in .\App\Wireshark\ within your portable installation folder.