tcpdump
35 TopicsDecrypting SSL traffic - PMS and egress
Hi - two questions combined. Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic I'm following this tutorial:Decrypt with tcpdump --f5 ssl I managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error: C:\Program Files\Wireshark: invalid option -- 'T' C:\Program Files\Wireshark: invalid option -- 'e' I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PC Second issue: Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys. Will appreciate any advice - It is my second day struggling with the issue2.5KViews0likes14CommentsTACAS not working - No TACACS packets in TCPDUMP
Hi, I have problem with user authentication over TACACS on BIG-IP 12.0 HF2 (Virtual edition). I configured TACACS, add host routes for TACACS server over MGMT interface, all according to config guide, but it is not workin. There is no packets in TCP dump. I tried TCPDUMP over all interfaces, also with command tcpdump -nni 0.0 port 49 but there is no any packet in trace. In log there are messages May 25 16:30:30 f5-04-1 warning httpd[14928]: pam_unix(httpd:auth): check pass; user unknown May 25 16:30:30 f5-04-1 notice httpd[14928]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.24.131.4 May 25 16:30:33 f5-04-1 err httpd[14928]: [error] [client 10.24.131.4] AUTHCACHE PAM: user 'xxx' - not authenticated: Authentication failure, referer: https://localhost:15443/tmui/login.jsp?msgcode=1& May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016"). May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: 01070417:6: AUDIT - user xxx - RAW: httpd(pam_audit): User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016"). TACAS configuration: auth source { type tacacs } auth tacacs system-auth { encryption disabled protocol ip secret $M$DF$/p4kusJntSq1Ydp41sLeZCOA/SrorObenISS/2pX08k= servers { 192.168.134.206 10.51.10.68 } service ppp } Management routes configuration: sys management-route default { description configured-statically gateway 10.24.131.1 mtu 1500 network default } sys management-route TACACS-1 { gateway 10.24.131.1 network 192.168.134.206/32 } sys management-route TACACS-2 { gateway 10.24.131.1 network 10.51.10.68/32 } Any suggestions?1.2KViews0likes5CommentsTCPDUMP with SNAT and '-p' usage
Hi, I was reading about the tcpdump and various filters we can use in capturing the appropriate traffic. came across the post @ https://devcentral.f5.com/questions/long-term-tcpdump Assuming that I can capture the traffic from my server even if I have SNAT enabled, I have used option '-p' this is capture filter I have used. tcpdump -ni 0.0:nnn -s0 -v -p host 10.20.20.29 and port 80 -w /var/tmp/test_sw.bin I used wireshark to read the content of the file, but I couldn't find any details traffic of the traffic from my backend server. Is it possible to see the traffic from my backend server with the option -p Am i missing something here ? or It will not show the traffic from my backend server as the IP is not included in the filter?526Views0likes2CommentsWireshark F5 Plugin - Unable to locate file
The last couple of hours I've spent attempting to install the F5 plugin for Wireshark. The directions I've followed are on this DevCentral article. Here's where I am at: 1) Downloaded the Wireshark source tarball. 2) Extracted the file. Step 3 says to extract the files in the F5 package, but there is no F5 package there. I have a wireshark-plugin.f5ethtrailer.bin.1.11.zip file I downloaded from DevCentral, but that's not what is being asked for I don't believe. There's a comment in the Notes section that says the following: When compiling on Windows, you need to pretty much build the entire WS distro due to the way Windows handles DLLs. For Linux (and I believe Mac, but I’m not sure), you can get the sources all setup, add in the plugin source, run configure and then run make only in the plugins/f5ethtrailer directory This makes me believe I need to uninstall and reinstall Wireshark entirely. Is that so? Not sure what I'm doing wrong here. Any help would be appreciated!289Views0likes1Commenttcpdump and vlan filter
Hi, I have setup (BIG-IP 11.2.0HF7 VE on ESX 5.1) with int_vlan (interface 1.2) configured as tagged (VLAN ID 350) connected to VMnet set with 4095 ID (so trunk type). W2K8 has interface configured with VLAN ID 350 as well. When using: tcpdump -ni 1.2 -v -e 'vlan 350' no traffic is captured tcpdump -ni 1.2 -v -e 'host 10.128.30.100' - IP of W2K8 interface, I can see correct tags in captured packets 16:40:07.086904 00:50:56:a9:86:30 > 00:50:56:a9:3b:eb, ethertype 802.1Q (0x8100), length 78: vlan 350, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 616, offset 0, flags [none], proto: ICMP (1), length: 60) 10.128.30.100 > 10.128.30.239: ICMP echo request, id 3, seq 20827, length 40 tcpdump -ni 1.2 -v -e | grep 'vlan 350' - this one is correctly displaying packets with my VLAN Am I doing something wrong or vlan filter is not working for v11.2.0? I tried as well advanced filter like that: tcpdump -ni 1.2 -v -e 'ether[14:2] & 4095 == 350' (as advised in K2289) but result is the same. Piotr3.8KViews0likes1Commentconnection resets happening to web services servers when clients uses load balanced url. Need help to capture traffic.
Hi, I'm seeing complaints saying that there are intermittent resets happening when the client uses load balanced url. Out of 60 web request sent from clients in 30 minutes, 8 to 9 requests were getting dropped intermittently. And I'm asked to identify the issue with resets and root cause. Here is the configuration of the VIP. can someone suggest me the best way to capture the traffic when the resets happen. Bear in mind, I cannot run tcpdump for all the 30 minutes as it could generate a huge log file or pcap file. Please suggest me the appropriate procedure or tcpdump commands that I can use to capture the traffic when resets happen and I can give them the reason behind the that resets - can use ringdump process (I don't know how to do it though). Please suggest. thanks. ltm virtual vs_gpdef_app_amvescap_ha { destination 10.196.1.15:http ip-protocol tcp mask 255.255.255.255 persist { simple-18000 { default yes } } pool pool_GPDEF_app_amvescap_ha profiles { tcp-gccp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 66 } ltm pool pool_GPDEF_app_amvescap_ha { members { 10.194.232.127:http { address 10.194.232.127 session monitor-enabled state up } 10.194.232.134:http { address 10.194.232.134 session monitor-enabled state up } } monitor http } ltm profile tcp tcp-gccp { abc enabled ack-on-push disabled app-service none close-wait-timeout 5 cmetrics-cache enabled congestion-control high-speed defaults-from tcp deferred-accept disabled delayed-acks enabled dsack disabled ecn disabled fin-wait-timeout 5 idle-timeout 2000 ip-tos-to-client 0 keep-alive-interval 1800 limited-transmit enabled link-qos-to-client 0 max-retrans 8 md5-signature disabled md5-signature-passphrase none nagle enabled pkt-loss-ignore-burst 0 pkt-loss-ignore-rate 0 proxy-buffer-high 16384 proxy-buffer-low 4096 proxy-mss disabled proxy-options disabled receive-window-size 32768 reset-on-timeout enabled selective-acks enabled send-buffer-size 32768 slow-start enabled syn-max-retrans 3 time-wait-recycle enabled time-wait-timeout 2000 timestamps enabled verified-accept disabled zero-window-timeout 20000 }486Views0likes2Commentsf5 enterprise manager fails to connect to LTMS
Hello, I have a handful of ltms that cant communicate with EM. There is about half that can talk to the the EM and half that cant. The LTMS are 11.4.1 and EM is 3.1.0. The EM talks to the LTMs fine with iquery communication in the dump logs being ok. On of one of the LTMs in question it was discovered by an engineer who is still working on the case that I have already open, he found these errors on one of the LTM's a couple of days ago: 67 May 21 14:44:18 aprcorpextltm1 err eventd[8174]: 012d0012:3: Notification attempt to consumer id D6E738E8- 1974-626A-2E52-EF1569494AD FAILED with error Failed to connect to host 10.58.1.124, port 443: Operation already in progress. 108 May 21 16:31:33 aprcorpextltm1 err eventd[8174]: 012d0012:3: Notification attempt to consumer id 7451CF6C- 1974-F300-1696-9E58A25A09A FAILED with error Failed to connect to host 10.58.1.124, port 443: Operation already in progress. Anyone run into this before ? Thanks254Views0likes2Commentstcpdump 'h' noise amplifier
Does anyone know the definition of 'h' noise amplifier in tcpdump? It's possible to use this amplifier when I sniff TMM traffic or CMI traffic, so I think it's just to sniff internal processes traffic. Could anyone verify this? tcpdump -nnei tmm:h host 127.1.1.2 and host 127.1.1.254 tcpdump -nnei VLAN_HA:h host 1.1.1.1 and port 6699 Is there any official doc related? KR, Dario.Solved800Views0likes5CommentsHow do I decrypt pcaps from the selfIP to Pool members for health monitor traffic?
I can apply and irule and decrypt pcaps for a conversation with a cleint to virtual server and the server-side, but cannot find any documentation on how to get the Pre Master Secret keys for a health monitor conversation.1KViews0likes5Comments