Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

tcpdump from client to VIP and Self Ip to Pool

InquisitiveMai
Cirrus
Cirrus

‎25-Oct-2022 15:11

What is the best way to capture traffic between 

client <--> VIP and Self IP <--->Pool Members

I tried tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address> -w  <file Location>

I captured packets with the the ip addresses above. How can we isolate or filter this traffic to identify which client side connection is associated which server side connection. Can we do something with the F5 ethernet trailer Low, Medium and High Details

Labels:
0 Kudos
3 REPLIES 3

Juergen_Mang
MVP
MVP

‎25-Oct-2022 23:11

You can use tcpdump -nni 0.0:nnnp host <client ip address> to match both sides of the connection as documented in https://support.f5.com/csp/article/K13637

You can use the flowid to match the frontend and backend connections: https://support.f5.com/csp/article/K59414829

InquisitiveMai
Cirrus
Cirrus
In response to Juergen_Mang

‎26-Oct-2022 07:59 - edited ‎26-Oct-2022 12:23

Thank you for your response. Because we are capturing traffic on any interface with  tcpdump -i 0.0 option, should not it capture all the traffic including poolmembers and self Ip. Why would we still need p option? I see that p option may cause some high resource utlization. Is there any significance to use p option? Can't we just use the client ip without the p option and add the VIP and pool members option like below and then filter it out with the flow from clientside associated to serverside

 

tcpdump -ni 0.0:nnn host<VIP ip address> or host<pool1 ip address> or host <pool 2 ip address>

 

 

0 Kudos

Mohamed_Salah_
MVP
MVP

‎26-Oct-2022 04:15

Hello,

 

As @Juergen_Mang said, the "P" option allows you to capture both sides.

"you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end,"

Besides show the traffic in the wireshark using the flow option to isolate traffic as you need.

navigate to Statistics > Flow Graph, you will find an output similar to the below one that shows client side and server side:

dev.PNG

 BR,

Mohamed Salah

Copyright © 2023 Khoros, LLC