Running Wireshark captures from F5 BIG-IP
My colleague, Simon Kowallik, recently posted something really cool to our internal message boards. It started with the question: “Have you ever wanted to run captures with Wireshark on BIG-IP?” Answer: Yes, for like twelve years I wanted to do this! In the post below, Simon shows us how to use the packet tracing tool Wireshark (or any other tool that reads pcaps from tcpdump) directly with BIG-IP using only some slight of hand. Anyway, I thought this was so awesome that it deserved wider audience so here it is, republished with Simon’s permission. Have fun! Posted by Simon Kowallik in on Jul 7, 2013 9:02:38 AM We actually can do that without installing X, wireshark and hundreds of libraries on BIG-IP. Which is not an option anyway. 🙂 There are a few things we need: SSH access to the BIG-IP, bash or tmsh is fine Proper SSH client on our Desktop, eg. OpenSSH or alternatives (putty & plink) The trick is to launch an ssh session without a login shell and run tcpdump through it on the remote system making tcpdump write raw packets to STDOUT while piping it to our local wireshark reading from STDIN. Here are two examples: cygwin on Windows # ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | /cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i - Linux # ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | /usr/bin/wireshark -k -i - Windows CMD with plink (download from putty homepage): plink.exe -l root -pw default 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | "c:\Program Files\Wireshark\wireshark.exe" -k -i - I think you can figure out how it works. If not, here are a few hints: Tcpdump's option -w with - as an argument writes to STDOUT instead of a file Wireshark's -i option reads from an interface, - as an argument makes STDIN the interface. STDIN/STDOUT is represented by - on most platforms. Caveats Tcpdump does buffer the output when writing to a file (our STDOUT in our case), which unfortunately means it might take some time until we can see the traffic in wireshark. Tcpdump offers options to influence the buffering however this is not implemented in our version of Libpcap (tested on 11.4HF1). This is especially annoying if we want to capture low volume traffic. What we could do is capturing icmp echo requests+replies additionally to the traffic we are interested in, and remove them again with the wireshark display filter. Then start a ping to push the interesting packets to wireshark faster. Words of warning You are piping the whole packet capture through ssh, so make sure you define your tcpdump filter reasonable, otherwise bad things might happen.
Unable to SSH BIG IP F5 GTM
Hi, I have a F5 BIGIP GTM box. I am able to access its GUI. However I am unable to access it via SSH Via doing a SSH via Putty just a black screen appears and nothing else happens. Please if someone can suggest any solution I have checked and my IP address is allowed in the Allowable IP's for SSHConnecting to F5 using SSH via Ansible
I am in the process of writing a playbook which uses SSH to connect to F5 and run a bash command (ntpdate -d time_server) to confirm NTP connectivity across the environment. For SSH I am using root. Here is the task that I have in the playbook. - name: "Check NTP on {{override_host}}" vars: ansible_connection: ssh ansible_user: "root" ansible_password: "{{root_pwd}}" ansible_ssh_private_key_file: "~/.ssh/f5-ansible-ssh" command: cmd: ntpdate -d {{item}} loop: "{{new_ntp_servers}}" register: ntp_status The error message that I get is as follows MSG: The module failed to execute correctly, you probably need to set the interpreter. See stdout/stderr for the exact error MODULE_STDOUT: /bin/sh: /usr/local/bin/python3.9: No such file or directory MODULE_STDERR: ******************************* IMPORTANT NOTE ****************************** Banner ***************************************************************************** Shared connection to ltm closed. Any help would be greatly appreciated...
SCP not working anymore since upgrade to 12.1
Hi, I recently upgraded my Big-IP from 11.6 HF6 to 12.1 successfully. However, I am not able anymore to execute scp commands which I used to transfer my ucs backups remotely. Any attempt always end up with a "no hostkey alg" error. I tried many different things like regenerating rsa and dsa keys like I always do after an upgrade, but as of today have been unsuccessful... Any advice someone ? Thanks, Pascal.
Setting up Forwarding IP VS on LTM to route SSH traffic
I am trying to route SSH traffic through a LTM onto a subnet. This is a prototype setup and so is slightly restrictive in that I have only one public IP address for external traffic to come into the LTM (which is a LAB license setup), behind this I have a "outer" n/w where I have a jump server and a web server and an "inner" n/w where I have app servers. I have setup HTTP virtual servers and have an iRule to route http traffic to the appropriate web server virtual IP address and onto an app server if needed. So in this setup I am attempting to route SSH requests via the single external IP address into the outer n/w layer. I have tried a network based forwarding IP VS to on available. Example VS definition... ltm virtual SSH-Forwarding-VS { description "Virtual Server for routing SSH traffic" destination 0.0.0.0:ssh ip-forward ip-protocol tcp mask any profiles { lab-forwarding-fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vs-index 11 } Yet all that I succeed in achieving is opening a SSH session with the actual LTM itself :-( I used this as a reference: http://packetpushers.net/stateless-routing-f5-ltm/ This prototype environment has been created in the AWS cloud, so the VPC, subnets and security groups have been setup to allow the traffic through. Any suggestions appreciated, thanks!
SSH-proxy and keyboard interactive authentication not working
I am trying to test the SSH proxy funtionality of AFM, but I am not succeeding at all. I am aiming for keyboard interactive authentication (username/password), but all I get is "Authentication failed." For my test-setup I have followed this to the letter: https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.print.html Section: Defining SSH proxy password or keyboard interactive authentication My setup goes: 10.128.1.1 --> 10.128.10.100 (VS with SSH-proxy profile) --> 10.128.10.128 (backend server) Directly SSH 10.128.1.1 ---> 10.128.10.128 work just fine If I goes through the virtuel Bigip on 10.128.10.100 I get: debug1: Host '10.128.10.100' is known and matches the RSA host key. debug1: Found key in /Users/testuser/.ssh/known_hosts:4 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: Next authentication method: publickey debug1: Trying private key: /Users/testuser/.ssh/id_rsa debug1: Trying private key: /Users/testuser/.ssh/id_dsa debug1: Trying private key: /Users/testuser/.ssh/id_ecdsa debug1: Trying private key: /Users/testuser/.ssh/id_ed25519 debug1: Next authentication method: keyboard-interactive Authentication failed. I have taken to public key from the backend server /etc/ssh/ssh_host_rsa_key.pub and placed a copy in "Real Server Auth Public Key" field. I have taken a private key generated on the virtual Bigip, using ssh-keygen, and placed a copy in "Proxy Server Auth Private key" field. I made sure that HostKey /etc/ssh/ssh_host_rsa_key is not commented out on the backend server. According to the article linked to above, it should now work, but it does not. Can anyone help me?
SSH access through App Tunnel
Hi, I am trying to access SSH to target server using App Tunnel. The SSH server authenticate using authentication public key, not normal password based authentication. I already generated authentication keys and registered on the SSH server and import key on putty. Putty error is showsing as below snapshot when tesed, which I guess regarding Authentication key issue. In this environment, how can I set up App Tunnel, especially Launch Application section?Golang SSH script for F5?
I am testing a small program written in go to SSH into an F5 do some work but still getting a failure to connect . Has anyone else ran into a similar issue? Code is below: package main import ( "bytes" "fmt" "golang.org/x/crypto/ssh" "log" ) func main() { devices := make([]string, 0) devices = append(devices, "xxxxxx:22") // An SSH client is represented with a ClientConn. // // To authenticate with the remote server you must pass at least one // implementation of AuthMethod via the Auth field in ClientConfig. config := &ssh.ClientConfig{ User: "xxxxxxx", Auth: []ssh.AuthMethod{ ssh.Password("xxxxxxxx"), }, HostKeyCallback: ssh.InsecureIgnoreHostKey(), } for _, d := range devices { client, err := ssh.Dial("tcp", d, config) if err != nil { log.Fatal("Failed to dial: ", err) } // Each ClientConn can support multiple interactive sessions, // represented by a Session. session, err := client.NewSession() if err != nil { log.Fatal("Failed to create session: ", err) } // Once a Session is created, you can execute a single command on // the remote side using the Run method. var b bytes.Buffer session.Stdout = &b if err := session.Run("ls -l"); err != nil { log.Fatal("Failed to run: " + err.Error()) } fmt.Println(b.String()) err = session.Close() if err != nil { fmt.Printf("Failed to close session for %v\n", d) } } }
Setting up Forwarding IP VS on LTM to route SSH traffic
I am trying to route SSH traffic through a LTM onto a subnet. This is a prototype setup and so is slightly restrictive in that I have only one public IP address for external traffic to come into the LTM (which is a LAB license setup), behind this I have a "outer" n/w where I have a jump server and a web server and an "inner" n/w where I have app servers. I have setup HTTP virtual servers and have an iRule to route http traffic to the appropriate web server virtual IP address and onto an app server if needed. So in this setup I am attempting to route SSH requests via the single external IP address into the outer n/w layer. I have tried a network based forwarding IP VS to on available. Example VS definition... ltm virtual SSH-Forwarding-VS { description "Virtual Server for routing SSH traffic" destination 0.0.0.0:ssh ip-forward ip-protocol tcp mask any profiles { lab-forwarding-fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vs-index 11 } Yet all that I succeed in achieving is opening a SSH session with the actual LTM itself :-( I used this as a reference: http://packetpushers.net/stateless-routing-f5-ltm/ This prototype environment has been created in the AWS cloud, so the VPC, subnets and security groups have been setup to allow the traffic through. Any suggestions appreciated, thanks!
