Hi guys, glad to have this community to help me. I want to ask what is the best way to capturing traffic between my servers going to a VS and specific pool members. For example i have one pool with 3 pool members. I will describe as below : VS : 172.16.16.1 Pool_HTTP with 3 members : 1. WEB_A : 10.10.10.11 2. WEB_B : 10.10.10.12 3. WEB_C : 10.10.10.13 And the thing is i want to use tcpdump to capture my server traffic (172.16.16.100) going to VS 172.16.16.1 with pool members of (10.10.10.11-12, except 10.10.10.13). I tried using tcpdump like this, and it doesn't seems to work. tcpdump -ni 0.0 src host 172.16.16.100 and dst host 172.16.16.1 and "(dst host 10.10.10.11 or dst host 10.10.10.12)" Thank you so much for your help. Cheers Regards Alkuin Melvin

Hi, Considering that F5 is a full proxy then you have two distinct client to server connections: first is (SRC:172.16.16.100 and DST:172.16.16.1), second is (SRC:X.X.X.X and DST:10.10.10.11 or 10.10.10.12), src depends on your SNAT configuration, if using automap then it is an F5 self IP. So your tcpdump needs to have an "OR" to match both connections, you've set up and "AND". Something like: tcpdump -ni 0.0 (src host 172.16.16.100 and dst host 172.16.16.1) or (dst host 10.10.10.11 or dst host 10.10.10.12)

Problem is that for the serverside connection, the source IP is your VS IP (or SNAT IP if you use), therefore, nothing will be captured by your filter. Why not set up two concurrent captures and later compare them side by side for the complete flow? If someone has any better ideas to get it in a single filter capture, please let me know! tcpdump -i VLAN-EXTERNAL 'src host 172.16.16.100 and dst host 172.16.16.1' -w ext.pcap tcpdump -i VLAN-INTERNAL 'src host 172.16.16.1 and (dst host 10.10.10.11 or dst host 10.10.10.12)' -w int.pcap

Hi, thanks for helping me out. It looks like you're right guys, i think i need to do a separate capture, one for client side and another one for server side. For now i will do that, great. However I am still looking if someone has the way to capture the packets using a single capture.

TCPDump for capturing traffing between Virtual Server and Pool Members

10 Replies

Amine_Kadimi
MVP
Dec 09, 2015
Hi, Considering that F5 is a full proxy then you have two distinct client to server connections:

first is (SRC:172.16.16.100 and DST:172.16.16.1),
second is (SRC:X.X.X.X and DST:10.10.10.11 or 10.10.10.12), src depends on your SNAT configuration, if using automap then it is an F5 self IP.

So your tcpdump needs to have an "OR" to match both connections, you've set up and "AND". Something like:

tcpdump -ni 0.0 (src host 172.16.16.100 and dst host 172.16.16.1) or (dst host 10.10.10.11 or dst host 10.10.10.12)
Hannes_Rapp
Nimbostratus
Dec 09, 2015
Problem is that for the serverside connection, the source IP is your VS IP (or SNAT IP if you use), therefore, nothing will be captured by your filter.

Why not set up two concurrent captures and later compare them side by side for the complete flow? If someone has any better ideas to get it in a single filter capture, please let me know!

tcpdump -i VLAN-EXTERNAL 'src host 172.16.16.100 and dst host 172.16.16.1' -w ext.pcap tcpdump -i VLAN-INTERNAL 'src host 172.16.16.1 and (dst host 10.10.10.11 or dst host 10.10.10.12)' -w int.pcap
- IRONMAN
  Cirrostratus
  Feb 14, 2019
  Are you sure , in Server Side , the Source IP for capture (172.16.16.1), which is VIP IP,without SNAT, As per me, it should be client Source IP?
  
  But i am confused. please confirm?
Hannes_Rapp_162
Nacreous
Dec 09, 2015
Problem is that for the serverside connection, the source IP is your VS IP (or SNAT IP if you use), therefore, nothing will be captured by your filter.

Why not set up two concurrent captures and later compare them side by side for the complete flow? If someone has any better ideas to get it in a single filter capture, please let me know!

tcpdump -i VLAN-EXTERNAL 'src host 172.16.16.100 and dst host 172.16.16.1' -w ext.pcap tcpdump -i VLAN-INTERNAL 'src host 172.16.16.1 and (dst host 10.10.10.11 or dst host 10.10.10.12)' -w int.pcap
- IRONMAN
  Cirrostratus
  Feb 14, 2019
  Are you sure , in Server Side , the Source IP for capture (172.16.16.1), which is VIP IP,without SNAT, As per me, it should be client Source IP?
  
  But i am confused. please confirm?
Alkuin_Melvin_1
Nimbostratus
Dec 09, 2015
Hi, thanks for helping me out. It looks like you're right guys, i think i need to do a separate capture, one for client side and another one for server side. For now i will do that, great. However I am still looking if someone has the way to capture the packets using a single capture.
- Amine_Kadimi
  MVP
  Dec 09, 2015
  Hi, as I mentioned before, using the OR logic in your filter will let you capture both connections in a single tcpdump job
Alkuin_Melvin_1
Nimbostratus
Dec 09, 2015
Sorry, double post :)
nathe
Cirrocumulus
Dec 09, 2015
Alkuin

This may help use tcpdump and identify client and server side traffic: see Capturing internal TMM information with tcpdump.

Also, a tcpdump i've used in the past to ensure that we can capture the serverside traffic when SNATing is (not using the noise levels outlined in the post above, however):

tcpdump -nni 0.0 '(src host client_ip and dst host vip) or (src host snat_ip and dst host poolmember_ip) or (src host snat_ip and dst host poolmember2_ip)'

Hope this helps further,

N
Anuj_Chaudhary_
Nimbostratus
Apr 04, 2017
use -nni..