Forum Discussion

artl2377_166103's avatar
artl2377_166103
Icon for Nimbostratus rankNimbostratus
Dec 31, 2014

Long term tcpdump

I am trying to investigate a non regular failure. external checking services are reporting failures to a customer website. I am running a tcpdump filtered for the scr ip and with a 50byte capture. Is there any other suggestions out there which could do this better ? am thinking iCall iRules etc - but have no experience of these. it is tough because the trigger is the lack of a session - so logging wont help...

 

Thanks in advance

 

6 Replies

  • Hi,

     

    If there isn't any trigger, unfortunately, there is no option :( You have to add the most filters you can for your long term TCPDUMP and split it.

     

  • I am running a tcpdump filtered for the scr ip and with a 50byte capture.

    i understand support engineer would prefer full packet size (-s0) and end-to-end (client to server) capture with extended tmm data (:nnn).

    e.g.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap 
    

    sol13637: Capturing internal TMM information with tcpdump

    https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html

    to continuously run it, you may check whether -C and -W are useful.

    -C   Before  writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one.  Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
    
    Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile.
    
    -W   Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin  overwriting files from the beginning, thus creating a ârotatingâ buffer.  In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.
    

    or icall if there is something can trigger it.

    iCall - All New Event-Based Automation System by Jason Rahm

    https://devcentral.f5.com/articles/icall-all-new-event-based-automation-system
  • I am running a tcpdump filtered for the scr ip and with a 50byte capture.

    i understand support engineer would prefer full packet size (-s0) and end-to-end (client to server) capture with extended tmm data (:nnn).

    e.g.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap 
    

    sol13637: Capturing internal TMM information with tcpdump

    https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html

    to continuously run it, you may check whether -C and -W are useful.

    -C   Before  writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one.  Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.  The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
    
    Note that when used with -Z option (enabled by default), privileges are dropped before opening first savefile.
    
    -W   Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin  overwriting files from the beginning, thus creating a ârotatingâ buffer.  In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.
    

    or icall if there is something can trigger it.

    iCall - All New Event-Based Automation System by Jason Rahm

    https://devcentral.f5.com/articles/icall-all-new-event-based-automation-system
  • As recommended by Nitass the so called ringdump will probably do the job. Make sure to write into the shared file system (option -w). A valuable parameter is "p" (for peer traffic) in the interface definition. The "p" will make sure to dump the serverside forwarded and returned packets as well in your trace.

    Nitass already added the so called noise parameter ("nnn") which requires the F5 WireShark plugin to display the so called ethernet trailer information. The plugin for your WireShark version is available for download here on DevCentral.

    The example below will run a ringdump with a total size of appr. 4 GByte (20 files of 200 MByte).

    Please run a "df -h" first to make sure there is enough space in the target volume.
    • C 200 (200 Mio. bytes per file)
    • W 20 (max 20 files)
    • Z root (run as root to avoid error when writing file)

    tcpdump -i 0.0:nnnp -C 200 -W 20 -s 0 -Z root -w /shared/ringdump/dump.cap