cancel
Showing results for 
Search instead for 
Did you mean: 

Tcpdump Capture

Ashu
Nimbostratus
Nimbostratus

Hello,

 

I am trying to do a packet capture on the F5 LTM where F5 is just acting as a gateway however i am not able to capture the complete tcp stream, i just get the tcp 3 way handshake packets and there is no application data..

 

Below is the syntax i am using, Please help.

 

tcpdump -s0 -venni 0.0:nnnp -w/var/tmp/dot_slowness_5.pcap host x.x.x.x

 

Where x.x.x.x is the source ip address.

1 ACCEPTED SOLUTION

Simon_Blakely
F5 Employee
F5 Employee

If the specific forwarding virtual is a Performance (Layer4) virtual and you have suitable hardware, then the connection may be shifted to the ePVA or PVA ASIC (on older hardware). This means that once the TCP handshake is complete and the flow is eligible for the Packet Velocity ASIC, the body of the flow is handled in the switch hardware itself and not in TMM.

 

K12837: Overview of the ePVA feature

 

If this is the case, then you need to either disable PVA for the profile on that virtual while you take the packet capture, or you need to capture on the interface/trunk (but this has a 200 packets per second restriction).

 

K6546: Recommended methods and limitations for running tcpdump on a BIG-IP system

 

-----

For systems containing a Packet Velocity ASIC (PVA), the tcpdump utility does not capture virtual server traffic that is fully accelerated by the PVA chip. The PVA resides on the switchboard, between the BIG-IP system's switch subsystem and the host motherboard. The chip processes accelerated traffic by accepting packets from the switch subsystem, transforming the packets to redirect them to the appropriate pool member, and then sending the packets back to the switch subsystem. Fully accelerated traffic never reaches the internal trunk and is not processed by TMM.

For example, the following command does not capture PVA accelerated traffic:

tcpdump -ni <vlan_name>

Note: To determine whether your platform contains a PVA chip, use the tmsh show /sys hardware |grep -i pva command for BIG-IP 11.0.0 and later, or the bigpipe platform |grep -i pva command for versions of BIG-IP that start with 9 and 10.

You can work around this limitation by temporarily disabling PVA acceleration for the FastL4 profile, capturing the traffic in a VLAN tcpdump and then re-enabling PVA acceleration for the FastL4 profile. To disable or enable PVA acceleration using the Configuration utility, navigate to Local Traffic > Profile > Protocol > FastL4 > [profile_name] > PVA Acceleration.

 -----

View solution in original post

2 REPLIES 2

Simon_Blakely
F5 Employee
F5 Employee

If the specific forwarding virtual is a Performance (Layer4) virtual and you have suitable hardware, then the connection may be shifted to the ePVA or PVA ASIC (on older hardware). This means that once the TCP handshake is complete and the flow is eligible for the Packet Velocity ASIC, the body of the flow is handled in the switch hardware itself and not in TMM.

 

K12837: Overview of the ePVA feature

 

If this is the case, then you need to either disable PVA for the profile on that virtual while you take the packet capture, or you need to capture on the interface/trunk (but this has a 200 packets per second restriction).

 

K6546: Recommended methods and limitations for running tcpdump on a BIG-IP system

 

-----

For systems containing a Packet Velocity ASIC (PVA), the tcpdump utility does not capture virtual server traffic that is fully accelerated by the PVA chip. The PVA resides on the switchboard, between the BIG-IP system's switch subsystem and the host motherboard. The chip processes accelerated traffic by accepting packets from the switch subsystem, transforming the packets to redirect them to the appropriate pool member, and then sending the packets back to the switch subsystem. Fully accelerated traffic never reaches the internal trunk and is not processed by TMM.

For example, the following command does not capture PVA accelerated traffic:

tcpdump -ni <vlan_name>

Note: To determine whether your platform contains a PVA chip, use the tmsh show /sys hardware |grep -i pva command for BIG-IP 11.0.0 and later, or the bigpipe platform |grep -i pva command for versions of BIG-IP that start with 9 and 10.

You can work around this limitation by temporarily disabling PVA acceleration for the FastL4 profile, capturing the traffic in a VLAN tcpdump and then re-enabling PVA acceleration for the FastL4 profile. To disable or enable PVA acceleration using the Configuration utility, navigate to Local Traffic > Profile > Protocol > FastL4 > [profile_name] > PVA Acceleration.

 -----

Thank You for your response Simon, It makes perfect sense to me now.