How to prove non-http traffic?

is there a way to prove which VS is particularly receiving non standard traffic? Except TCPDUMP, because capturing traffic on all the VS will generate plenty of logs. Or if there is a way to use intelligent iRule to capture non-standard traffic?

i am afraid you need tcpdump.

Aww snap! I don't mind using TCPDUMP, the only challenge is, there are many HTTPS VS, in fact almost HTTPs VS. It would be quite tedious to generate PMS one by one for each HTTPs VS (all of them are offloading to F5) and load it to Wireshark for investigation.

Any other suggestion?

Yes, but again the challenge for HTTPs will remain same, right?

Tough call for me. As roughly there are 60+ HTTPs VS and offloading is happening on F5. Can I use RingDump sort of thing? Which keeps rotating captures with the value defined with -c parameter until we get log for the "LTM message we are expecting" and stopped once it sees the message?

Should it work?

Cheers!

Can I use RingDump sort of thing? Which keeps rotating captures with the value defined with -c parameter until we get log for the "LTM message we are expecting" and stopped once it sees the message?

e.g.

Run tcpdump on event by Brent Blood

Thanks Nitass,

The script looks reactive, can it be pro-active? Rather waiting for the occurrence to happen, can we always run the TCPDUMP, let's 5 copies should be saved under /var/tmp and each copy should have 1000 packets (using -c), and when it sees the particular message, stop the script after getting another 1000 packets, to capture the complete the flow.

Possible?

Thanks,

How about kill tcpdump upon the grep

tcpdump  -i 0.0:nnn -C10 -W 5 -s0 -w /var/tmp/error.pcap &
tail -n1 -f /var/log/ltm| grep -q 'http_process_state_prepend' && killall tcpdump &

I will try this Nitass, and update the thread. Cheers!