If building applications from source is like a fresh breath of air for you, then proceed directly to the wiki entry for the F5 Wireshark Plugin. For the rest of us, on Windows systems at least, there is a shortcut.

Installation

  • Download and install Wireshark 1.8, 1.10, or 1.12
  • Download the F5 Wireshark Plugin 
    1. Extract f5ethtrailer.dll from the appropriate folder for your system.  For my Wireshark 1.10 64-bit installation, that folder is Win64_WS1-10-2.
    2. Copy the file to the Wireshark plugins folder (on my system, it is C:\Windows\Program Files\Wireshark\plugins\1.10.11)

ws1

  • Launch Wireshark. Go to Help->About Wireshark. Click the Plugins tab. The f5ethtrailer.dll should be listed.

ws2

Usage

In order to utilize the Wireshark plugin, you need to flag the tcpdump command appropriately with -s0 and setting the level of noise by flagging the interface with a colon followed by a single, double, or triple n for, respectively, low, medium, and high details. For example:

tcpdump -s0 -ni vlan:nnn -w/var/tmp/filename.pcap

The basic information for each noise level is below. For greater details, please reference Solution 3637.

  • Low Details (:n) - The low details include ingress or egress flow direction, the slot and TMM handling the packet, and the vip, if applicable.
  • Medium Details (:nn) - The medium details include the low details plus flow and peer IDs, and the F5 reset cause. The remaining fields in the medium details are likely only helpful to F5 support.
  • High Details (:nnn) - The high details include the low and medium details plus all the related peer data, protocol, vlan associated with the flow, and local and remote addresses and ports. You'll want this setting for the F5 conversation menu items.

So what does the package capture look like once loaded into Wireshark? Well, first off, you'll notice an INFO frame that provides not only the hostname and platform information of the BIG-IP the packet capture was taken from, but also the tcpdump parameters that were set.

ws3

Next, take a look at a packet that is actually hitting a virtual server:

ws4

Here, you can see that the packet is being handled by TMM 1 and is hitting the /Common/tesvip virtual server. Also useful is the flow ID, which allows you to bind the front-end client connection with the associated back-end connections. You can either right-click the flow ID and select Apply as Filter and then Selected:

ws5

Or, you can just set the filter manually in the filter field (f5ethtrailer.flowid == 0x0000570075cfd200):

ws6

John T, one of our excellent engineers, suggested that you should use the f5ethtrailer.anyflowid filter if you're going to type it out as that will get you packets where that flow id is the flowid OR the peerid, resulting in getting both the client and server side of the connection. John is also the source of much of the rest of this article, so hat tip his way!

Starting in version 1.9 of the plugin, you can also select from a few F5 conversation filters (as appropriate) directly in the menu:

ws8

This is a shortcut for:

(ip.addr eq 192.168.101.1 and ip.addr eq 192.168.101.51 and tcp.port eq 61843 and tcp.port eq 80) or \
(f5ethtrailer.peeraddr eq 192.168.101.1 and f5ethtrailer.peeraddr eq 192.168.101.51 and f5ethtrailer.peerport eq 61843 \
and f5ethtrailer.peerport eq 80 and (f5ethtrailer.peeripproto eq 6 or (f5ethtrailer.peeripproto eq 0 and tcp)))

That's quite a shortcut! I can't imagine remembering all those switches, let alone typing it all without fat-fingering something.

You can filter on many other fields in the plugin, but hopefully this is a good launch point for you to get started with analyzing your BIG-IP traffic flows. Happy analysis!