Running Wireshark captures from F5 BIG-IP
My colleague, Simon Kowallik, recently posted something really cool to our internal message boards. It started with the question: “Have you ever wanted to run captures with Wireshark on BIG-IP?” Answer: Yes, for like twelve years I wanted to do this! In the post below, Simon shows us how to use the packet tracing tool Wireshark (or any other tool that reads pcaps from tcpdump) directly with BIG-IP using only some slight of hand. Anyway, I thought this was so awesome that it deserved wider audience so here it is, republished with Simon’s permission. Have fun! Posted by Simon Kowallik in on Jul 7, 2013 9:02:38 AM We actually can do that without installing X, wireshark and hundreds of libraries on BIG-IP. Which is not an option anyway. 🙂 There are a few things we need: SSH access to the BIG-IP, bash or tmsh is fine Proper SSH client on our Desktop, eg. OpenSSH or alternatives (putty & plink) The trick is to launch an ssh session without a login shell and run tcpdump through it on the remote system making tcpdump write raw packets to STDOUT while piping it to our local wireshark reading from STDIN. Here are two examples: cygwin on Windows # ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | /cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i - Linux # ssh -l root 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | /usr/bin/wireshark -k -i - Windows CMD with plink (download from putty homepage): plink.exe -l root -pw default 192.168.1.245 "tcpdump -w - -s0 -pi 0.0 tcp or udp or icmp" | "c:\Program Files\Wireshark\wireshark.exe" -k -i - I think you can figure out how it works. If not, here are a few hints: Tcpdump's option -w with - as an argument writes to STDOUT instead of a file Wireshark's -i option reads from an interface, - as an argument makes STDIN the interface. STDIN/STDOUT is represented by - on most platforms. Caveats Tcpdump does buffer the output when writing to a file (our STDOUT in our case), which unfortunately means it might take some time until we can see the traffic in wireshark. Tcpdump offers options to influence the buffering however this is not implemented in our version of Libpcap (tested on 11.4HF1). This is especially annoying if we want to capture low volume traffic. What we could do is capturing icmp echo requests+replies additionally to the traffic we are interested in, and remove them again with the wireshark display filter. Then start a ping to push the interesting packets to wireshark faster. Words of warning You are piping the whole packet capture through ssh, so make sure you define your tcpdump filter reasonable, otherwise bad things might happen.
Decrypting SSL traffic - PMS and egress
Hi - two questions combined. Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic I'm following this tutorial:Decrypt with tcpdump --f5 ssl I managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error: C:\Program Files\Wireshark: invalid option -- 'T' C:\Program Files\Wireshark: invalid option -- 'e' I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PC Second issue: Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys. Will appreciate any advice - It is my second day struggling with the issue
TACAS not working - No TACACS packets in TCPDUMP
Hi, I have problem with user authentication over TACACS on BIG-IP 12.0 HF2 (Virtual edition). I configured TACACS, add host routes for TACACS server over MGMT interface, all according to config guide, but it is not workin. There is no packets in TCP dump. I tried TCPDUMP over all interfaces, also with command tcpdump -nni 0.0 port 49 but there is no any packet in trace. In log there are messages May 25 16:30:30 f5-04-1 warning httpd[14928]: pam_unix(httpd:auth): check pass; user unknown May 25 16:30:30 f5-04-1 notice httpd[14928]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.24.131.4 May 25 16:30:33 f5-04-1 err httpd[14928]: [error] [client 10.24.131.4] AUTHCACHE PAM: user 'xxx' - not authenticated: Authentication failure, referer: https://localhost:15443/tmui/login.jsp?msgcode=1& May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016"). May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: 01070417:6: AUDIT - user xxx - RAW: httpd(pam_audit): User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016"). TACAS configuration: auth source { type tacacs } auth tacacs system-auth { encryption disabled protocol ip secret $M$DF$/p4kusJntSq1Ydp41sLeZCOA/SrorObenISS/2pX08k= servers { 192.168.134.206 10.51.10.68 } service ppp } Management routes configuration: sys management-route default { description configured-statically gateway 10.24.131.1 mtu 1500 network default } sys management-route TACACS-1 { gateway 10.24.131.1 network 192.168.134.206/32 } sys management-route TACACS-2 { gateway 10.24.131.1 network 10.51.10.68/32 } Any suggestions?
TCPDUMP with SNAT and '-p' usage
Hi, I was reading about the tcpdump and various filters we can use in capturing the appropriate traffic. came across the post @ https://devcentral.f5.com/questions/long-term-tcpdump Assuming that I can capture the traffic from my server even if I have SNAT enabled, I have used option '-p' this is capture filter I have used. tcpdump -ni 0.0:nnn -s0 -v -p host 10.20.20.29 and port 80 -w /var/tmp/test_sw.bin I used wireshark to read the content of the file, but I couldn't find any details traffic of the traffic from my backend server. Is it possible to see the traffic from my backend server with the option -p Am i missing something here ? or It will not show the traffic from my backend server as the IP is not included in the filter?
Wireshark F5 Plugin - Unable to locate file
The last couple of hours I've spent attempting to install the F5 plugin for Wireshark. The directions I've followed are on this DevCentral article. Here's where I am at: 1) Downloaded the Wireshark source tarball. 2) Extracted the file. Step 3 says to extract the files in the F5 package, but there is no F5 package there. I have a wireshark-plugin.f5ethtrailer.bin.1.11.zip file I downloaded from DevCentral, but that's not what is being asked for I don't believe. There's a comment in the Notes section that says the following: When compiling on Windows, you need to pretty much build the entire WS distro due to the way Windows handles DLLs. For Linux (and I believe Mac, but I’m not sure), you can get the sources all setup, add in the plugin source, run configure and then run make only in the plugins/f5ethtrailer directory This makes me believe I need to uninstall and reinstall Wireshark entirely. Is that so? Not sure what I'm doing wrong here. Any help would be appreciated!
tcpdump and vlan filter
Hi, I have setup (BIG-IP 11.2.0HF7 VE on ESX 5.1) with int_vlan (interface 1.2) configured as tagged (VLAN ID 350) connected to VMnet set with 4095 ID (so trunk type). W2K8 has interface configured with VLAN ID 350 as well. When using: tcpdump -ni 1.2 -v -e 'vlan 350' no traffic is captured tcpdump -ni 1.2 -v -e 'host 10.128.30.100' - IP of W2K8 interface, I can see correct tags in captured packets 16:40:07.086904 00:50:56:a9:86:30 > 00:50:56:a9:3b:eb, ethertype 802.1Q (0x8100), length 78: vlan 350, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 616, offset 0, flags [none], proto: ICMP (1), length: 60) 10.128.30.100 > 10.128.30.239: ICMP echo request, id 3, seq 20827, length 40 tcpdump -ni 1.2 -v -e | grep 'vlan 350' - this one is correctly displaying packets with my VLAN Am I doing something wrong or vlan filter is not working for v11.2.0? I tried as well advanced filter like that: tcpdump -ni 1.2 -v -e 'ether[14:2] & 4095 == 350' (as advised in K2289) but result is the same. Piotrconnection resets happening to web services servers when clients uses load balanced url. Need help to capture traffic.
Hi, I'm seeing complaints saying that there are intermittent resets happening when the client uses load balanced url. Out of 60 web request sent from clients in 30 minutes, 8 to 9 requests were getting dropped intermittently. And I'm asked to identify the issue with resets and root cause. Here is the configuration of the VIP. can someone suggest me the best way to capture the traffic when the resets happen. Bear in mind, I cannot run tcpdump for all the 30 minutes as it could generate a huge log file or pcap file. Please suggest me the appropriate procedure or tcpdump commands that I can use to capture the traffic when resets happen and I can give them the reason behind the that resets - can use ringdump process (I don't know how to do it though). Please suggest. thanks. ltm virtual vs_gpdef_app_amvescap_ha { destination 10.196.1.15:http ip-protocol tcp mask 255.255.255.255 persist { simple-18000 { default yes } } pool pool_GPDEF_app_amvescap_ha profiles { tcp-gccp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 66 } ltm pool pool_GPDEF_app_amvescap_ha { members { 10.194.232.127:http { address 10.194.232.127 session monitor-enabled state up } 10.194.232.134:http { address 10.194.232.134 session monitor-enabled state up } } monitor http } ltm profile tcp tcp-gccp { abc enabled ack-on-push disabled app-service none close-wait-timeout 5 cmetrics-cache enabled congestion-control high-speed defaults-from tcp deferred-accept disabled delayed-acks enabled dsack disabled ecn disabled fin-wait-timeout 5 idle-timeout 2000 ip-tos-to-client 0 keep-alive-interval 1800 limited-transmit enabled link-qos-to-client 0 max-retrans 8 md5-signature disabled md5-signature-passphrase none nagle enabled pkt-loss-ignore-burst 0 pkt-loss-ignore-rate 0 proxy-buffer-high 16384 proxy-buffer-low 4096 proxy-mss disabled proxy-options disabled receive-window-size 32768 reset-on-timeout enabled selective-acks enabled send-buffer-size 32768 slow-start enabled syn-max-retrans 3 time-wait-recycle enabled time-wait-timeout 2000 timestamps enabled verified-accept disabled zero-window-timeout 20000 }f5 enterprise manager fails to connect to LTMS
Hello, I have a handful of ltms that cant communicate with EM. There is about half that can talk to the the EM and half that cant. The LTMS are 11.4.1 and EM is 3.1.0. The EM talks to the LTMs fine with iquery communication in the dump logs being ok. On of one of the LTMs in question it was discovered by an engineer who is still working on the case that I have already open, he found these errors on one of the LTM's a couple of days ago: 67 May 21 14:44:18 aprcorpextltm1 err eventd[8174]: 012d0012:3: Notification attempt to consumer id D6E738E8- 1974-626A-2E52-EF1569494AD FAILED with error Failed to connect to host 10.58.1.124, port 443: Operation already in progress. 108 May 21 16:31:33 aprcorpextltm1 err eventd[8174]: 012d0012:3: Notification attempt to consumer id 7451CF6C- 1974-F300-1696-9E58A25A09A FAILED with error Failed to connect to host 10.58.1.124, port 443: Operation already in progress. Anyone run into this before ? Thanks
