tcpdump from client to VIP and Self Ip to Pool

Question

What is the best way to capture traffic between

client <--> VIP and Self IP <--->Pool Members

I tried tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address> -w <file Location>

I captured packets with the the ip addresses above. How can we isolate or filter this traffic to identify which client side connection is associated which server side connection. Can we do something with the F5 ethernet trailer Low, Medium and High Details

juergen_mang · Answer

You can use tcpdump -nni 0.0:nnnp host &lt;client ip address&gt; to match both sides of the connection as documented in https://support.f5.com/csp/article/K13637You can use the flowid to match the frontend and backend connections: https://support.f5.com/csp/article/K59414829

mohamed_salah_ · Answer

Hello,&nbsp;As Juergen_Mang&nbsp;said, the "P" option allows you to capture both sides."you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end,"Besides show the traffic in the wireshark using the flow option to isolate traffic as you need.navigate to Statistics &gt; Flow Graph, you will find an output similar to the below one that shows client side and server side: BR,Mohamed Salah

inquisitivemai · Answer

Thank you for your response. Because we are capturing traffic on any interface with tcpdump -i 0.0 option, should not it capture all the traffic including poolmembers and self Ip. Why would we still need p option? I see that p option may cause some high resource utlization. Is there any significance to use p option? Can't we just use the client ip without the p option and add the VIP and pool members option like below and then filter it out with the flow from clientside associated to serverside

tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address>

Forum Discussion

tcpdump from client to VIP and Self Ip to Pool

3 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

8. SYN Cookie: Troubleshooting tcpdump

Decrypting TLS with the tcpdump sslprovider

Tcpdump Capture

decrypted tcpdump capture without using an iRule using tshark

Enhance your Application Security using Client-side signals