Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

TCPDump for capturing traffing between Virtual Server and Pool Members

IRONMAN
Cirrostratus
Cirrostratus

Hi All,

 

As Considering that F5 is a full proxy, How to capture the server-side traffic, Some notes giving Source IP must be client IP, where actual request coming ,in other notes VIP is source Ip for Server-side traffic? Any one give clear idea on this?

 

without SNAT: None(no Automap)

 

Client IP :172.16.16.100 VS : 172.16.16.1 Pool_HTTP with 1 member : 1. WEB_A : 10.10.10.11 SNAT: None(no Automap)

 

tcpdump -i VLAN-INTERNAL 'src host 172.16.16.1 and (dst host 10.10.10.11)' -w int.pcap

 

or

 

tcpdump -i VLAN-INTERNAL 'src host 172.16.16.100 and (dst host 10.10.10.11)' -w int.pcap

 

3 REPLIES 3

Something I always do is capture some more information on the BIG-IP and use Wireshark to filter it out.

This command is what F5 Support usually use:

tcpdump -nn -s0 -i 0.0:nnnp -w /shared/tmp/Cxxxx_tcpdump_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap host x.x.x.x or host y.y.y.y or host z.z.z.z

  • x.x.x.x = IP address of client connecting to the virtual server. Or if this IP address is unknown, the IP address of the virtual server.
  • y.y.y.y = IP address of first pool member
  • z.z.z.z = IP address of second pool member.

The -i 0.0:nnnp flag will capture traffic on all VLANs and it will also enable the F5 Ethernet Trailer. The F5 Ethernet trailer will gather F5 specific information which can be analyzed in Wireshark.

Getting Started with the F5 Wireshark Plugin on Windows

Then, using the F5 Ethernet Trailer, I filter out the sessions based on the Flow Session ID, captured by the F5 Ethernet Trailer. Jason describes it in detail in the same article.

That way, the tcpdump syntax is easy to remember, it does not miss any information and it is quick to work with in Wireshark.

But that is how I usually work with tcpdumps.

Vasim
Altostratus
Altostratus

Getting Started with the F5 Wireshark Plugin on Windows

this article not opening ,, can you share it 

Hey Vasim

It seems that the article has been moved since the site was rebuild. Please check this instead:

Getting Started with the F5 Wireshark Plugin on Windows  

I also found this really nice lab exercise that F5 has created on CloudDocs which covers TCPdump and involves Wireshark and the plugin:

Troubleshoot with tcpdump and Wireshark 

I hope this gives you all the information you are looking for. 😀