NimbostratusI have been doing some studying on tcpdump and traffic analytics on the F5. I was wondering if there was a way to capture the entire path of the traffic all the way to the server. So I know I can do "Client to F5" and "Server to F5", but is there a way to do "Client to F5 to Server?" Would the VIP I want to dump have to be a performance L4 in order for this to work?
Cirrusyou could do the trace on all data interfaces with option "-i 0.0" and then have the proper host/traffic filter. To match the sessions between the client and server side (if the amount of traffic doesn't permit it), check the f5 wireshark plugin, that will facilitate it too: https://devcentral.f5.com/wiki/AdvDesignConfig.F5WiresharkPlugin.ashx
MVPfrom this sol: http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html
Beginning in BIG-IP 11.2.0, you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0:
tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1
remember though that there is a limit on packet captures on interface, which i assume also goes for 0.0
see sol: http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html
Limitations
Running tcpdump on a switch interface is rate-limited to 200 packets per second. Therefore, if you run tcpdump on an interface that is processing more than 200 packets per second, the captured tcpdump file does not include all of the packets.
For example, the following command captures PVA-accelerated traffic, but the syntax results in a rate limit of 200 packets per second:
tcpdump -ni
Awesome, thanks for the responses gents.