Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

LTM Log Files

I need to be able to see tcp traffic between client and F5 and between F5 and pool memebers. Anybody knows how I can setup and view that? Thanks
1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
if you have cli access, you can use tcpdump. You can specify a file for clientside/serverside separately or you can use the special interface 0.0 to capture from all links.
1
Comments on this Answer
Comment made 22-Feb-2014 by kmurphy 88
Great tip on the 0.0 interface, definitely will get some use out of that.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

by default, system log (e.g. /var/log/ltm) does not include application traffic. if you want to log application traffic, you can use irule.

e.g.

Log Http Tcp Udp To Syslogng
https://devcentral.f5.com/wiki/iRules.LogHttpTcpUdpToSyslogng.ashx

0
Comments on this Answer
Comment made 30-Dec-2014 by MOHIT 396
Hi Nitaas, Can't i see tcp traffic between client and F5 and between F5 and pool memebers from F5 LTM cli??? If yes can you please shrae the commands to check it.
0
Comment made 30-Dec-2014 by nitass 12823
do yo mean packet? if yes, you can run tcpdump. # tcpdump -nni 0.0 -s0 host x.x.x.x or host y.y.y.y x.x.x.x is client ip y.y.y.y is pool member ip
0
Comment made 30-Dec-2014 by shaggy 2230
(more tcpdump info) - https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html There is also the command "tmsh show sys connection" which will show you current connection details
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can capture client side traffic and responding server side traffic using below command::

tcpdump -vvnni 0.0:nnnp -s0 host x.x.x.x and port yy

  • where x.x.x.x is Virtual IP and yy is virtual server port number

If you want to traffic for a specific client then::

tcpdump -vvnni 0.0:nnnp -s0 host x.x.x.x

  • where x.x.x.x is client IP

If you want write captured traffic to a file to review later in wire shark or some other tool use 'w' option and provide path to the file

tcpdump -vvnni 0.0:nnnp -s0 -w /var/tmp/capture.pcap host x.x.x.x

0