Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Long term tcpdump

I am trying to investigate a non regular failure. external checking services are reporting failures to a customer website. I am running a tcpdump filtered for the scr ip and with a 50byte capture. Is there any other suggestions out there which could do this better ? am thinking iCall iRules etc - but have no experience of these. it is tough because the trigger is the lack of a session - so logging wont help...

Thanks in advance

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As recommended by Nitass the so called ringdump will probably do the job. Make sure to write into the shared file system (option -w). A valuable parameter is "p" (for peer traffic) in the interface definition. The "p" will make sure to dump the serverside forwarded and returned packets as well in your trace.
Nitass already added the so called noise parameter ("nnn") which requires the F5 WireShark plugin to display the so called ethernet trailer information. The plugin for your WireShark version is available for download here on DevCentral.
The example below will run a ringdump with a total size of appr. 4 GByte (20 files of 200 MByte).
Please run a "df -h" first to make sure there is enough space in the target volume.

  • C 200 (200 Mio. bytes per file)
  • W 20 (max 20 files)
  • Z root (run as root to avoid error when writing file)

tcpdump -i 0.0:nnnp -C 200 -W 20 -s 0 -Z root -w /shared/ringdump/dump.cap <filter i.e. "host <ip-addr-client">

1
Comments on this Answer
Comment made 01-Jan-2015 by artl2377 97
cheers thanks - this is what i was looking for.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am running a tcpdump filtered for the scr ip and with a 50byte capture.

i understand support engineer would prefer full packet size (-s0) and end-to-end (client to server) capture with extended tmm data (:nnn).

e.g.

# tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap <filter>

sol13637: Capturing internal TMM information with tcpdump
https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html

to continuously run it, you may check whether -C and -W are useful.

-C   Before  writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one.  Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile.

-W   Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin  overwriting files from the beginning, thus creating a ârotatingâ buffer.  In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

or icall if there is something can trigger it.

iCall - All New Event-Based Automation System by Jason Rahm
https://devcentral.f5.com/articles/icall-all-new-event-based-automation-system

1
Comments on this Answer
Comment made 01-Jan-2015 by artl2377 97
thanks very useful
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

If there isn't any trigger, unfortunately, there is no option :( You have to add the most filters you can for your long term TCPDUMP and split it.

0