My rule is basically the same as the below: when CLIENT_ACCEPTED { TCP::collect { when CLIENT_DATA { set DATA [TCP::payload] log local0. "TCP DATA: $DATA" TCP::release TCP::collect } The problem is that the client accpted event occurs capturing the initial packet, however the client stays connected for multiple packets and the TCP::collect within CLIENT_DATA does not seem to trigger the CLIENT_DATA event again! UDP works very nicely just collecting each packet sent because it is connectionless, however my issue is with TCP and I cannot change this! Any advise would be greatly appreciated THanks James

Thanks for your response, The second message I should see logged is not written to the log file, and also looking at the counters CLIENT_ACCEPTED and CLIENT_DATA are both actioned the same number of times, it is only a very basic TCP payload of 12 characters pushed through the socket. Thanks James

The easiest way to recreate my problem is using netcat or similar, sending the data to the virtual server, the basic TCP construction looks like this:: SYN SYN, ACK ACK PSH, ACK - data ACK PSH, ACK - data - not receiving/ logging this message ACK FIN, ACK FIN, ACK when I get this working I will also expect a response to each of the bytes of data sent from the end point, however I am currently failing at this hurdle!

you mean other than yours working and mine not?! I will try again tomorrow when back in the office but I don't see anything different between yours and my rules, unless http is handled differently and triggers the event whereas the telnet/straight tcp message isnt!

TCP Logging all traffic

11 Replies

nitass

Employee

Oct 18, 2011

how do you know CLIENT_DATA is not triggered again?

[root@iris:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
}
[root@iris:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        TCP::collect
}

when CLIENT_DATA {
        set DATA [TCP::payload]
        log local0. "[IP::client_addr]:[TCP::client_port]|$DATA"
        TCP::release
        TCP::collect
}
}

[root@iris:Active] config  tail -f /var/log/ltm
Oct 18 22:01:06 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1  Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*  Accept-Language: en-US  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2)  Accept-Encoding: gzip, deflate  If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT  If-None-Match: "667a-67-cfb682c0"  Host: 172.28.17.33  Connection: Keep-Alive
Oct 18 22:01:06 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1  Accept: */*  Referer: http://172.28.17.33/  Accept-Language: en-US  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2)  Accept-Encoding: gzip, deflate  If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT  If-None-Match: "5d7f-1530-52f31380"  Host: 172.28.17.33  Connection: Keep-Alive
Oct 18 22:01:09 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1  Accept: */*  Accept-Language: en-US  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2)  Accept-Encoding: gzip, deflate  If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT  If-None-Match: "667a-67-cfb682c0"  Host: 172.28.17.33  Connection: Keep-Alive
Oct 18 22:01:09 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1  Accept: */*  Referer: http://172.28.17.33/  Accept-Language: en-US  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2)  Accept-Encoding: gzip, deflate  If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT  If-None-Match: "5d7f-1530-52f31380"  Host: 172.28.17.33  Connection: Keep-Alive
Oct 18 22:01:10 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1  Accept: */*  Accept-Language: en-US  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2)  Accept-Encoding: gzip, deflate  If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT  If-None-Match: "667a-67-cfb682c0"  Host: 172.28.17.33  Connection: Keep-Alive
Oct 18 22:01:10 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1  Accept: */*  Referer: http://172.28.17.33/  Accept-Language: en-US  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2)  Accept-Encoding: gzip, deflate  If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT  If-None-Match: "5d7f-1530-52f31380"  Host: 172.28.17.33  Connection: Keep-Alive

jdscrymgeour_42
Nimbostratus
Oct 18, 2011
Thanks for your response,

The second message I should see logged is not written to the log file, and also looking at the counters CLIENT_ACCEPTED and CLIENT_DATA are both actioned the same number of times, it is only a very basic TCP payload of 12 characters pushed through the socket.

Thanks

James
jdscrymgeour_42
Nimbostratus
Oct 18, 2011
The easiest way to recreate my problem is using netcat or similar, sending the data to the virtual server, the basic TCP construction looks like this::

SYN

SYN, ACK

ACK

PSH, ACK - data

ACK

PSH, ACK - data - not receiving/ logging this message

ACK

FIN, ACK

FIN, ACK

when I get this working I will also expect a response to each of the bytes of data sent from the end point, however I am currently failing at this hurdle!

nitass

Employee

Oct 18, 2011

is there anything i missed?

[root@iris:Active] config  tcpdump -nni 0.0 host 172.28.17.33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
23:50:28.529287 IP 192.168.206.102.54942 > 172.28.17.33.80: S 2036798734:2036798734(0) win 8192 
23:50:28.529372 IP 172.28.17.33.80 > 192.168.206.102.54942: S 3173404814:3173404814(0) ack 2036798735 win 3780 
23:50:28.529793 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 1 win 16695
23:50:28.529964 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1:369(368) ack 1 win 16695
23:50:28.532768 IP 172.28.17.33.80 > 192.168.206.102.54942: P 1:455(454) ack 369 win 4148
23:50:28.577702 IP 192.168.206.102.54942 > 172.28.17.33.80: P 369:745(376) ack 455 win 16581
23:50:28.578787 IP 172.28.17.33.80 > 192.168.206.102.54942: . 455:1715(1260) ack 745 win 4524
23:50:28.578795 IP 172.28.17.33.80 > 192.168.206.102.54942: P 1715:1915(200) ack 745 win 4524
23:50:28.578868 IP 172.28.17.33.80 > 192.168.206.102.54942: . 1915:3175(1260) ack 745 win 4524
23:50:28.579125 IP 172.28.17.33.80 > 192.168.206.102.54942: . 3175:4435(1260) ack 745 win 4524
23:50:28.579200 IP 172.28.17.33.80 > 192.168.206.102.54942: . 4435:5695(1260) ack 745 win 4524
23:50:28.579204 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 1915 win 16695
23:50:28.579483 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 4435 win 16695
23:50:28.792018 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 5695 win 16695
23:50:28.792059 IP 172.28.17.33.80 > 192.168.206.102.54942: P 5695:6178(483) ack 745 win 4524
23:50:28.806251 IP 192.168.206.102.54942 > 172.28.17.33.80: P 745:1094(349) ack 6178 win 16574
23:50:28.808325 IP 172.28.17.33.80 > 192.168.206.102.54942: P 6178:6681(503) ack 1094 win 4873
23:50:28.817967 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1094:1473(379) ack 6681 win 16448
23:50:28.819720 IP 172.28.17.33.80 > 192.168.206.102.54942: P 6681:7184(503) ack 1473 win 5252
23:50:29.025972 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 7184 win 16695
23:50:31.062463 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1473:1952(479) ack 7184 win 16695
23:50:31.063793 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7184:7364(180) ack 1952 win 5731
23:50:31.082003 IP 192.168.206.102.54942 > 172.28.17.33.80: P 1952:2441(489) ack 7364 win 16650
23:50:31.083102 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7364:7546(182) ack 2441 win 6220
23:50:31.303244 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 7546 win 16604
23:50:32.214973 IP 192.168.206.102.54942 > 172.28.17.33.80: P 2441:2920(479) ack 7546 win 16604
23:50:32.216448 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7546:7726(180) ack 2920 win 6699
23:50:32.231074 IP 192.168.206.102.54942 > 172.28.17.33.80: P 2920:3409(489) ack 7726 win 16559
23:50:32.232224 IP 172.28.17.33.80 > 192.168.206.102.54942: P 7726:7908(182) ack 3409 win 7188
23:50:32.426229 IP 192.168.206.102.54942 > 172.28.17.33.80: . ack 7908 win 16514

30 packets captured
30 packets received by filter
0 packets dropped by kernel

[root@iris:Active] config  cat /var/log/ltm
Oct 18 23:54:16 local/tmm notice tmm[4601]: 013e0001:5: Tcpdump starting bcast on :::0 from 127.1.1.1:58858
Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET / HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive
Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /dog.gif HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: image/png,image/*;q=0.8,*/*;q=0.5  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive  Referer: http://172.28.17.33/
Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /favicon.ico HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: image/png,image/*;q=0.8,*/*;q=0.5  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive
Oct 18 23:54:20 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /favicon.ico HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive
Oct 18 23:54:22 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET / HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive  If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT  If-None-Match: "667a-67-cfb682c0"  Cache-Control: max-age=0
Oct 18 23:54:23 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /dog.gif HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: image/png,image/*;q=0.8,*/*;q=0.5  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive  Referer: http://172.28.17.33/  If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT  If-None-Match: "5d7f-1530-52f31380"  Cache-Control: max-age=0
Oct 18 23:54:24 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET / HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive  If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT  If-None-Match: "667a-67-cfb682c0"  Cache-Control: max-age=0
Oct 18 23:54:24 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:54942|GET /dog.gif HTTP/1.1  Host: 172.28.17.33  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.23) Gecko/20110920 Firefox/3.6.23  Accept: image/png,image/*;q=0.8,*/*;q=0.5  Accept-Language: en-us,en;q=0.5  Accept-Encoding: gzip,deflate  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  Keep-Alive: 115  Connection: keep-alive  Referer: http://172.28.17.33/  If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT  If-None-Match: "5d7f-1530-52f31380"  Cache-Control: max-age=0
Oct 18 23:54:28 local/tmm notice tmm[4601]: 013e0002:5: Tcpdump stopping on 127.1.1.2:1042 from 127.1.1.1:58858

jdscrymgeour_42
Nimbostratus
Oct 18, 2011
you mean other than yours working and mine not?!

I will try again tomorrow when back in the office but I don't see anything different between yours and my rules, unless http is handled differently and triggers the event whereas the telnet/straight tcp message isnt!
jdscrymgeour_42
Nimbostratus
Oct 19, 2011
The issue with my connection is that when the TCP::release command is invoked it is dropping the TCP connection between the virtual server and my client, instead of just releasing the collected data and getting ready to process the next data the virtual server is actually sending a RST ACK to the client closing the connection, is there a way to stop this?

Thanks

James
nitass
Employee
Oct 19, 2011
would you mind posting the virtual server config here?
jdscrymgeour_42
Nimbostratus
Oct 19, 2011
All of the settings are default, for a tcp server using the standard tcp profile. sorry I dont know how to export this as text!
nitass
Employee
Oct 19, 2011
is it http traffic? is there any error in log while sending?

i think tcpdump should show something. if you can't find anything there, can you open a support case? support guy should be able to help you check packet capture.

to capture packet, please use command similar to the following.

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 1.1.1.1 or host 2.2.2.2

1.1.1.1 is virtual address

2.2.2.2 is pool member address

hope this helps.
jdscrymgeour_42
Nimbostratus
Oct 19, 2011
It is not http traffic it is more like telnet/netcat as above straight ascii TCP messages, and there is no error log, I think the issue is that the following happens:

SYN

SYN, ACK

ACK

PSH, ACK - data

ACK

RST, ACK - f5 sends this to my client

My client then has no open connection to send the next byte of data so does not send it! I have a training day with f5 tomorrow and will ask them

Forum Discussion

TCP Logging all traffic

11 Replies

Recent Discussions

how can I find the software version is 32 bit or 64 bit from LTM 15.1.10.4

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

Related Content

Log tcp Connections.

F5 TCP Proxy mode

fellow traffic

ASM logs

UDP TCP Packet Duplication