F5 TCP Dump and Wireshark

Jul 4, 2024

F5 TCP Dump and Wireshark

Introduction

Today’s topic is WireShark focusing on its utility TCP dump in the context of F5. Packet capture is essential when issues like traffic not reaching F5 are reported.

Use Cases for Packet Capture

  • When traffic is not reaching F5: You need to capture packets to understand where the issue lies: client to F5, or F5 to server.
  • Scenario: URL not accessible: Check DNS, virtual server status, pool members, and statistics.
  • Statistics Checks: Determine if virtual server and pool members are receiving traffic. If there’s an issue in traffic flow, perform packet captures to diagnose it.

TCP Dump: Basics and Utility

  • Definition: TCP dump is a command-line packet analyzer tool for capturing packets in F5 (Linux OS).
  • **Key Uses: Capture and Troubleshoot: TCP handshake, SSL handshake, HTTP packets, load balancing decisions, and delta times (for slowness issues).

Scenarios Captured Using TCP Dump

  • Capturing Traffic on Specific Interface: 
    tcpdump -i 1.1
  • Capturing on VLAN Level: 
    tcpdump -i <VLAN_NAME>

Practical Example

  • Setup: Client, F5, Servers (red, green, blue).
  • Commands and Packet Capture: Use PuTTY to log in and issue relevant tcpdump commands.
  • Saving TCP Dumps: Save packets in pcap format for use in Wireshark. 
    tcpdump -i 1.1 -w /var/tmp/ext.pcap
  • Viewing Captures in Wireshark: Transfers the capture file using WinSCP to desktop for analysis.

Syntax and Filters

  • Basic Syntax: Capture Traffic on Interface 1.1: 
    tcpdump -i 1.1
  • Viewing Traffic on Specific Interface: 
    tcpdump -i 1.1 -w /var/tmp/ext.pcap
  • Specific Host Traffic: 
    tcpdump host 192.168.1.60
  • Traffic Between Specific Hosts: 
    tcpdump src host 192.168.1.4 and dst host 10.2.2.32 -w /var/tmp/r.pcap

Advanced Capture in Production

  • Capturing End-to-End Traffic: 
    tcpdump -i 0.0 -s0 -n host 192.168.1.80 or host 10.2.2.30 or host 10.2.2.31 or host 10.2.2.32 -w /var/tmp/virtual.pcap

Analyzing Captured Packets

  1. Basic Packet Info in Wireshark: Verify TCP, SSL handshakes, and HTTP requests.
  2. Tracking Connection Issues: Compare TCP traffic to determine if issues are on the client-F5 or F5-server side.
  3. Example Analysis: Viewing HTTP request and response streams in Wireshark; distinguishing between client-F5 and F5-server packets.

Practical Tips

  • Use Wireshark filters:
    • Example: ip.addr == 192.168.1.80
  • Understand Snat: Allow connection tracking and identify source IP translation based on SNAT rules.
  • Avoid DNS Lookups: Use -n to avoid slow packet captures.
  • Capture Unlimited Data: Use -s0 for full packet capture.

Conclusion

  • Understanding tcpdump with F5 and Wireshark is essential for traffic troubleshooting and ensuring smooth network operations.
  • Utilize specific filter commands and best practices for efficient packet analysis.