Forum Discussion

PS_332920's avatar
PS_332920
Icon for Nimbostratus rankNimbostratus
Nov 30, 2018

Best methods to co-relate the client and server side flows

Team, based on a captured pcap where both client and server side conversations have been captured, could you recommend the best ways to correlate which client side TCP stream for example relates with the TCP stream client side. I am aware of the flow ID and peer ID usage when using F5Trailer and -nnn but have found on some occasions that the relation is incorrect (e.g. F5 sends RST to Client claiming RST on remote server but server side connection was properly closed), even F5 TAC has mentioned that -p also gives wrong result sometimes. So I am looking for definite ways without replying heavily on the F5 Eth trailers, at present I am filtering using one serverside stream and then going forward on the stream +1 and so on till I see some matching like RST occurring on both Client and Server end on wireshark

 

eg. tcp.stream == 10 or tcp.stream == 12

 

application delivery
f5ethtrailer
LTM
tcpdump
wireshark

3 Replies

Sort By
  • PS_332920's avatar
    PS_332920
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2018

     

    Using the Flow ID shows RST going from F5 to Client (due to RST on remote server as reason) but nothing on server side suggesting RST on that end

     

  • PS_332920's avatar
    PS_332920
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2018

     

    Now same capture when going through different streams, stream 12 and 15 related better where you can see the RST server side before client side. Also the client side uses IPv6 and server side IPv4

     

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Dec 02, 2018

    Your flowid filter example will not match a client flow to a server flow.

     

    All you have matched are two independent flows that have reused the same connection table entry.

     

    You need to match the client-side peerid to the server-side flowid (or vice-versa).

     

    Use f5ethtrailer.anyflowid to match on either flowid and peerid values, so for a flow you get to see both sides of the conversation. You will also see the flow-reuse mentioned above, but you can usually see where the flows are very different.

     

    Of course, if flow reuse is in play (i.e OneConnect), you may only see part of the server-side flow, where the required client-side flow is attached.