📡

Lecture on WireShark and TCP Dump

Jul 11, 2024

View transcript

Lecture on WireShark and TCP Dump

Introduction

  • Topic: WireShark
  • Focus: TCP Dump

Situations to Use Packet Capture

  • Issues with traffic not reaching F5
  • Capture packets sent and received
  • Use cases for capturing packets:
    • Client to F5 to Server
    • Access issues with URL hosted on F5
    • DNS checks
    • Virtual server and pool member status
    • Virtual server and pool member statistics

Steps for Troubleshooting

  1. Check DNS
  2. Verify Virtual Server and Pool Member Status
  3. Review Statistics
  4. Analyze TCP Handshake and SSL Handshake
  5. Capture Packet Details
    • Client to F5 issues
    • F5 to Server issues
  6. Use TCP Dump Utility on F5 (Linux-based)
    • TCP Dump helps in troubleshooting by capturing packets in and out from F5

Scenarios to Use TCP Dump

  • Handshake Analysis: Successful TCP Handshake and SSL Handshake
  • HTTP Get Packet Analysis: If HTTP get packets are sent from F5 to the server
  • Route Analysis: Which server F5 is sending packets to
  • Latency Analysis: Measure Delta time (time difference)

Running TCP Dump Commands

  • Basic Command: tcpdump -i 1.1
  • Running Commands in CLI: Use tmsh mode or bash (tcpdump -i 1.1)

Steps to Perform Packet Capture

  • Initiate traffic from client via browser
  • Capture traffic using tcpdump -i 1.1
  • Save the output in .pcap format for WireShark
  • Command to Save Capture: tcpdump -i 1.1 -w /var/tmp/ext.pcap
  • Transfer .pcap file to desktop using WinSCP

Analyzing Captured Packets

  • Open .pcap file in WireShark
  • Example: HTTP request and response headers
  • Show client to F5 and F5 to Server traffic

End-to-End Packet Capture

  • Command to Capture All Interfaces: tcpdump -i 0.0 -w /var/tmp/extall.pcap
  • Capture packets across multiple interfaces
  • Apply IP Filters in WireShark for specific virtual servers

Commands for Specific Packet Captures

  • Specific Virtual Server Command: tcpdump host 192.168.1.60
  • Source and Destination Specific Command: 
    tcpdump src host 192.168.1.4 and dst host 10.2.2.30 -w /var/tmp/special.pcap
  • Filter in WireShark: Example: ip.addr == 192.168.1.80

Best Practices for Production Environment

  • Optimal Command for Issue Reporting: End-to-End Capture 
    tcpdump -i 0.0 -s0 -n host 192.168.1.80 or host 10.2.2.30 or host 10.2.2.31 or host 10.2.2.32 -w /var/tmp/virtual.pcap
    • -s0: Unlimited packet length
    • -n: Avoid DNS lookups
    • -i 0.0: Any interface
    • -w: Write to capture file
  • Command for Continuous Capture in Production: Very useful for diagnosing issues reported by customers.

Conclusion

  • Importance of TCP Dump: Essential for troubleshooting network traffic issues.
  • Usage in Production: Capturing the right packets to diagnose connection and performance issues.
  • Learning the Commands: Essential for efficient troubleshooting.

Full transcript