How to packet capture the whole traffic flow in VIP by Automap

Question

Hi,&nbsp;
I do have a VIP configured using Automap.
2 nodes on the pool member.&nbsp;
Now, the problem is the log on the nodes member will always show the self IP as a source IP address.
Configure X-forwarded will not work for my application due the the network setup.&nbsp;
I try packet capture with command:
tcpdump -ni 0.0:nnnp -s 0 host  or port  -w /var/tmp/test.pcap&nbsp;
On Wireshark, if follow the TCP stream, it won't show the full traffic flow. It just either "self IP and node IP" or "actual source IP and VIP"&nbsp;
How to capture/filter the packet so that I can have a full set of the traffic flow?  &nbsp;

youssef1 · Answer

Hi,
since you are capturing on the ip address base, keep in mind that capture from F5 to backend you may have several user session if you are not the only one to test (because of snat):
tcpdump -nni 0.0 '(host "clientIP" and host "VipIP")' or  '(host "FloatinIP" and host "BackendServer")'
or
tcpdump -nni 0.0 '(src host "clientIP" and dst host "VipIP")' or  '(src host "FloatinIP" and dst host "BackendServer")'
In your situation I advise you to capture traffic using an Irule, it allows you to go up to layer 7 and capture traffic end-to-end for a single user.
let me know if you need assistance for irule
Regards

Forum Discussion

How to packet capture the whole traffic flow in VIP by Automap

1 Reply

Recent Discussions

Stable Firmware for F5

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

Kill SNAT AutoMap!

Ultimate irule debug - Capture and investigate

fellow traffic