Wednesday, 4 September 2019

What is the use of TCPDUMP in F5 LTM?

--> TCPDUMP function on F5 LTM is used for capturing the packets that are sent/received on a particular interface from the command line.

--> TCPDUMP is having the same functionality as Wireshark tool.

--> TCPDUMP tool is mainly used on F5 LTM for troubleshooting and security posture of the network.

--> By default when you run TCPDUMP tool on F5 LTM, it tries to do DNS resolution for the IP Addresses which consumes so much of time.

--> It is recommended to disable TCPDUMP tool before running the capture on the interface of F5 LTM.

--> In order to disable TCPDUMP tool on F5 LTM, execute the following command on F5 LTM from CLI without brackets( tcpdump -ni 1.1).

--> These are the following tcpdump commands which mostly used for troubleshooting purposes,

1) For capturing the packets on a particular interface: tcpdump -ni 1.1 or tcpdump -ni Internal

2) To Save the TCPDUMP output in binary format: tcpdump -w <filename> ( Ex: tcpdump -w packet1.bin)

3) To Save the TCPDUMP output in text format: tcpdump ><filename> (Ex: tcpdump >packet1.txt)

Note: TCPDUMP does not show any data on the screen when you are saving the packets in binary or text format. In order to stop the capture, press ctrl+c from the keyboard.

4) To read the data from TCPDUMP file on F5 LTM: tcpdump -r <filename> (Ex: tcpdump -r packet1.bin)

5) To capture the packets with limited size: tcpdump -s2000 -ni Internal
F5 SUPPORT

--> Using tcpdump utility we can also capture internal TMM information of F5 LTM.

--> This TMM information is useful when you need to open a case with F5 Support.

--> To capture Internal TMM information on F5 LTM, use the following command: tcpdump -i <interface>:<noise amplitude>

-->The noise amplitude specifies the level of TMM details included in the packet capture. The following noise levels may be captured:

n: Low details
nn: Low and medium details
nnn: Low, medium, and high details

--> For more information about what is low, medium and high details, click on the below link

https://support.f5.com/csp/article/K13637


FILTERING the packets in tcpdump Packet Capture

--> Filters allow you to limit the packet capture output related to specific IP Address, ports, and TCP flags.

--> TCPDUMP Filtering in F5 LTM works similar to Wireshark utility.

--> These are the following tcpdump commands which mostly used for filtering purposes,

1) For capturing the packets from or to a particular address: tcpdump host 192.168.1.50

2) For capturing the packets from a particular address : tcpdump src host 192.168.1.51

3) For capturing the packets to a particular address : tcpdump dst host 192.168.1.100

4) For capturing the packets either from source or destination port : tcpdump port 80

5) For capturing the packets which contain source port 80: tcpdump src port 80

6) For capturing the packets which contain destination port 80: tcpdump dst port 80

7) For Capturing the TCP flags for example SYN flag: tcpdump ‘tcp[tcpflags] & (tcp-syn) != 0’

8) For Capturing the TCP flags for example ACK flag: tcpdump ‘tcp[tcpflags] & (tcp-ack) != 0’

Combining the filters using AND operator

1) If you want to capture the traffic starting from client 192.168.1.1 going to virtual server 172.16.1.100 : tcpdump src host 192.168.1.1 and dst host 172.16.1.100

2) If you want to capture the traffic starting from client 192.168.1.1 going to virtual server 172.16.1.100 only on destination port 80: tcpdump src host 192.168.1.1 and dst host 172.16.1.100 and dst port 80

Ref: F5.com

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...