Forum Discussion

John_Sm_Jr_1503's avatar
John_Sm_Jr_1503
Icon for Nimbostratus rankNimbostratus
Oct 20, 2015

Taking a network capture with BIG-IP Edge Client running

Hi all,

 

We are trying to debug a complex application that does not work through a split tunnel VPN setup in BIG-IP APM. We are using the latest version of BIG-IP Edge Client on our workstations.

 

To debug, we are trying to take a network capture to see what traffic goes to the split tunnel, but it seems we cannot do this on Windows. All captured traffic we see in Wireshark is from the communication between the user computer and the VPN gateway, after the application data has been encapsulated into SSL. The BIG-IP Edge Client sets up a (virtual) dialup connection and we cannot capture from this device in Wireshark.

 

It would be very helpful to take a capture before the application data gets encapsulated so we can understand what is going and why our application is not working. We have the option to take a capture on the gateway, but this proves to be practically difficult because our gateway is managed by a third party.

 

Thanks for your help.

 

John

 

1 Reply

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    A few years ago, winpcap made a change that made it impossible to capture from any Dial-Up adapter. The APM client uses this sort of adapter to create the VPN connection.

     

    While Wireshark is not an option, you can use Microsoft's Netmon to capture from the Dial-Up adapter, then analyze the data in Wireshark or Netmon (Wireshark can load up Netmon captures). Netmon has some advantages in that the dissectors are better for Microsoft-centric protocols such as RDP, SMB, and Kerberos. And it also will tell you the name of the Windows binary that is creating the traffic.

     

    For the sake of completeness of this response: You can also capture this traffic (as you've mentioned) on the APM itself by using "tcpdump -i ".

     

    Keep in mind also that there are two parts of this traffic: DNS and Traffic. The Edge Client has a "DNS Relay Proxy" components that proxies DNS requests/responses. If you find some problem that seems to be related to this, try either disabling the DNS Relay Proxy System Service or adjusting the DNS split settings in the Network Access object. We recommend to usually leave the DNS split at "*", meaning "resolve everything over the tunnel". This doesn't impact the traffic after the DNS, just the DNS itself.