[Music] [Applause] [Music] [Applause] good morning everyone I hope everyone is doing good so today's topic is wire Shock first topic for the day is TCP dump so whenever guys someone reports some issues like traffic is not coming or reaching to F5 I need to take a wire shock so in this case you need to take a packet capture so in which cases guys you need to take a packet capture first in cases where you need to capture the packet that are sent and received let's say if client send a packet to F5 and F5 needs to transfer to server server one server two or server three in that cases guys you need a determine that user is reporting some issues so so what happen in this case is when client connects to the URL let's say URL is cet.com and customer says that this URL I'm not able to access through my browser okay that is the first use case when customer comes to you that the URL hosted on F5 is not working fine so what are the things you need to check first DNS which we discussed second thing is whether your virtual server is up pool members are up you need to check this and third step is once if the that is also up everything is working fine you need to check the statistics so you need to go to virtual server statistics pool member statistics you need to check whether you are getting traffic on your virtual server and pool member if you're getting traffic on Virtual server that means client to F5 handshake is okay if you're not receiving traffic means F5 to the server it means there is an issue between this communication if you can see that both the TCP hand check is successful but you need to check it right traffic you're receiving but still customer is reporting some issues so you need to capture the packet that where the issue is whether there is an issue with client to F5 or F5 to the server so basically if I talk about TCP dump or wire shock in F5 wire shock is called TCP dump if someone tell you I need to capture the packet to see whether everything is working fine on F5 you need to see right how you will conclude whether issue is on F5 or whether issue is with server so for that you need to take a captures wire shock capture and for taking wire shock capture TCP dump is a utility in F5 because it is a Linux operating system that is why tcpu dump you need to collect it and it will help you basically for troubl shooting so it will help you to capture whether TCP handshake is successful first case second thing is if it's an https packet whether SSL handshake is successful that is the second thing which you can check third thing is whether F5 is sending proper packets if they are receiving like HTTP get packet TCP and check is fine SSL is fine whether HTTP get packet which client receives or send from to F5 whether F5 is sending to the server or not and fourth case is you can also capture that on which server F5 is sending a packet let's say F5 has three servers in load balancing server one server two server three that can also be captured fifth case is guys sometimes there can be issues related to slowness in that case you can capture the Delta time Delta time means difference whether F5 is receiving some reset packet or something so let's say if server is sending a reset packet it means there is an issue with server so all these things can be captured on TCP dump it is a wire shock tool for F5 and it is helpful to capture packet in and out from F5 that is the main thing right I need to capture in packet and out packet and which is sending reset packet if TCP hand check is not successful whether it's an issue with F5 or an issue with the server so that all things can be captured on TCP dump fire shock so we will take some scenarios some syntax so you need to learn little bit syntax mostly are available on Google but the most preferable syntax which we generally used you need to just remember that so guys let's say I have client I have F5 then I have server one server 2 server 3 this is red server green server blue server and this network is let's say 1.2 this network is 1.1 this is management Network and this is H Network I want to capture traffic of this only 1.1 only whether I'm getting trffic on 1.1 interface or not so in this case guys you can also apply filter basically you need to run filters basically you need to run filters to understand or limit the traffic either I need to capture packet on this interface this interface you need to learn a command let's say I want to to view traffic on a single particular interface what is the command so the command VI traffic on single interface is let's go this command you need to run in CLI TCP dump minus I 1.1 so all TCP Dum command you need to run via CLI so let's go further on we will see how we need to run it I will log in through puty and I will login into my F5 192 168 13750 because all the things you can captured via CLA so that's why you need to remember the command so I will just increase the size so that you can see much better so first you need to go to tmsh mode teos or you can run by bash also command is TCP Dum minus I 1.1 this is the command so let me log into GUI and initiate some traffic right to get a packet guys I need to initiate a traffic that is the first case so whenever you go on a call with the customer guys customer says that this URL is not working you have checked everything on F5 your whip is up your pool is up next step is you are doing capture so you need someone that is the main point guys you need someone on the call who can join and initiate a traffic until you initiate a traffic you will not get anything on F5 wire shock so you need someone on the call like customer to initiate the traffic from his machine ask customer hey customer can you just access cnet.com so that we can troubleshoot what is the issue the most common TCP dump command syntax which generally I follow I will tell you that is that will help you so I have three interfaces so I'm capturing packet on TCP dump 1.1 so see right now I'm just getting this packet because because I have not initiated it's a default packet now if I access my virtual server 1 do 60 what is the virtual server I have 1.80 so I'm just initiating some traffic so let's see if I get anything see guys I've got many traffic first traffic case see you will get to know so I will just stop it and let's I will just show you upward so see what it's saying is I initiated first traffic on 1.60 it's saying that R request for 1.60 tell 192 but I did not find anything but after that what I initiated can you see this initially I access this is my client IP and this is my web PP sin packet is there then again nothing is coming properly then I initiated a traffic to 1.80 can you see this every time there is a s since in reset packet because there is no virtual server like this that is why it's sending reset packet my main concern is in wire Shack I should see this packet right I should see that I have this client I have F5 I'm capturing traffic on 1.1 which is external my machine IP is 192 168 1.4 my virtual server IP is 168 1.60 first packet from this will be Sin from client to F5 then Sy neck then acknowledgement but there is no virtual server 1.60 so sin packet came in after some time F5 send reset packet because that is normal right I don't have a virtual server if I will send a reset packet now after that what I initiated I initiated a traffic for 1.80 let's see that packet see this one is a packet for 1.80 first packet flag it's saying that 1.4 packet after that 1.80 will reply with acknowledgement see here you can see Sy after that this will send e can you see this three packets see this one is little difficult I will show you through wire shock but this is a CLI command you can also save this file on your PF format to view from wi shock so see this is I don't prefer this syntax so what I will do I will write minus W then I will write ext. pcap so what it will do is guys it will save your file in this directory you need to First all the wires shock capture generally get Sav in this template verify so guys by default TCP dump shows all output in CLI but now I need to view this through wire shock software so that it's easy much more readable format so in that case I need to save this syntax in directory and I need to give the file name as XY Z something do peap because only peap can be view from this wire shop tool if you don't save the file in PK format then you will get output like that which I showed you so how to save it this file generally we save all this TCP dump in temporary directory so that you can delete later on also so I will give that hey I need to capture all traffic externally and right minus W is to write and this is the directory so I will say external. pcap now see packet capture has started now I will ask customer to initiate now he has initiated I I will stop can you see the 748 packets have been received by a filter so it means capture is successful meanwhile let me also add Gateway again so I I yesterday I removed I will just activate in all my red green blue server I will just add Gateway F5 because if you remember we did snat Labs so I removed the gateway to show you I'm just adding the Gateway again here also red server so that is how you need to ask your customer to initiate a traffic so that you can capture on F5 and after that once they initiated a traffic and reproduce the issue you need to stop the capture you for stopping the capture you need to press contrl Z so see I just first I did it then after that control C now if I save any other thing you can give another name external if I need to stop contrl Z first you run then press contrl C to stop it this is important press contrl C to stop the packet capture control plus C to stop the packet capture now let's go I have saved this file now I will take win SCP and I will take the capture on my desktop so I will log in root now I will go to my where where I saved it in where temp directory right now I will go to Temp directory I need to take this file from my F5 to my desktop so I will go to where Temp and I will see the file see this file ext. pcap and I will take this file on my desktop let's say I will change here to my desktop and I will just transfer this like this so your file is stored in your F5 directory important Point how to take from F5 directory to your desktop to view from wi shock so you need to open Win SCP and log in Via root credential to F5 so I just logged in into WIP and I have transferred it now I will go to my desktop 1.80 just give me one minute uh okay cookie was there so that's why everything was going into the red server because we we were saying that we were refreshing but it was not going now it will go there was a cookie session applied so I will go into desktop and I will review the file which is the file I have PF format there is one file e EXT this one now I will open it through wire shock okay so guys we have got the file so first of all guys I will just do this now can you see this this is my source IP this is my web IP first packet is a s packet and what is the port number eight so this line confirms what thing guys that I am receiving packet on my interface and three-way handshake is successful are you getting me sin packet s acknowledgement this one sin sinac and and acknowledgement first of all client will send us in packet a virtual IP will send us in NE then acknowledgement after that can you see HTTP packet because there is no SSL so that is why there is just a HTTP you can just go here just right click and you can follow HTTP stream it will give you the data because there was a cookie so it was showing me Cookie also this is how HTTP request headers looks like so this confirm that packet is getting received on my virtual server and 3way handshake is successful you can show this to your customer if they say that F5 is not receiving a packet they might say that F5 is having issue you can show them that see hey client is sending a packet and I'm sending a in neck and threeway hand check is successful let's say I want to capture end to end packet my next scenario is I have a client I have an F5 I have red green blue server I want to capture end to endend packet that is the main thing you need to do right I was just showing you can capture on it interface level also even guys you can capture on ven level also let's say we have two V lenss external internal you can run this command TCP dump minus I then your VLAN name the same way where I run this command now TCP dump minus interface like 1.1 1.2 1.3 this is the command to capture on interface level you can capture it on vlen level also but I want to capture all end to endend interface 1.1 1.2 I don't need to specify this I need to capture both both end to end this interface traffic also and this interface traffic so that is called how to view all interface traffic that is the one use case so the command to run is TCP dump minus I 0.0 any interface it represent any interface why I'm using 0.0 because this is is the syntax right first will represent your slot number another interface is your port number that is why this is an F5 interface first one is slot Port any interface like I want to capture don't specify particular interface whether it's 1.1 or 1.2 I need to capture end to end so I will run this command let's see so command is TC you can also note down TC P dump minus I 0.0 any interface so let's go TCP dump minus I 0.0 then I will write this file on my temporary any dop now I will generate track TR I will open new browser I will say 192 do 168 do 1 dot let me access 1.80 first now I will refresh okay I got it now I will press control C now I will go into win SCP I will just refresh and this is the file any dop I will just transfer like this now I will go to my desktop and I will open it now here you can apply filter also guys let's say I want to capture only on ip. addr equal to 192 168 1.80 so this is the filter you can see wi shock is a normal device where you can capture the traffic so you need to filter Here Also let's say there are many virtual servers you need to ask customer hey customer what is your IP customer says my IP is this so you can filter on wire shock also like this ip. EDR equal to equal you need to just see the session for 1.4 maybe let's say I have a virtual server 192 168 1.80 this is accessible from many customers right but this user is only reporting issue so you can filter on this also so I will say ip. address I will go here upwards here and I will just enter my client IP so you will see all packet capture here first packet sin then virtual server which send syac and then acknowledgement so this confirmed that packet is fine now guys this is your client to F5 session but I want to capture F5 to the server also so what I will do I will just select this one first packet in packet and I will follow TCP stream and let me see if I get the server details also here I'm not getting any packet on server level so what I will do I will enter any server IP IP do addr 10.2.2 do30 let's say so see guys I am getting packet both the packets first I'm getting client to F5 packet now I want to see F5 to the server packet because I enter TCP dump minus I 0.0 any interface so it will give me server IP also so you can see just select any of the server this one let's say I will just follow TCP stream so it will show me and what is this IP anyone guys 10. 2.50 what is this IP why I'm getting packet from this IP this is your self IP and let me go to my virtual server let me check if I have enabled snat or not yesterday we discussed about snat right now I will go here and I will see can you see this Auto map that is why it is getting translated into snat IP can you see this your Source IP is getting translated here my source IP was I need to see this session right 1.4 one session will be from this to my virtual server another session is if there is no snat let's say there is no snat next session from F to the server will be which one what will be the source IP when F5 will initiate a traffic to the server when snat is not enabled what is the source IP in that case so in that case Source IP would be same but in that in this case we have a snat autom map enabled so yesterday we discussed when snat Auto map is enabled your Source IP this one will get translated into the self IP of your ESS ven ESS ven is the same ven where server resides so I was telling you right we will show you the packet capture and tell you like how the connection is working so this is how your autom map is getting translated even I can show you another server also there are three servers right ip. addr you can see this packet 10. 2231 or you can also select IP addr equal to 10.2 do2 .32 or ip. EDR these are the filters guys 30 I want to see the captures 10230 3132 I will just select this filter IP do addr I will give first server IP 10.2.2 do30 or 10.2.2 31 or 10 2 do2 do do 32 because I want to capture all packets enter so can you see this all the packets are getting translated I cannot see 192 168 1.4 initiating connection can you see this I can see one ip1 2252 why what is this IP 52 so what I will do is I'll go to here 52 maybe there is some IP why can anyone tell me there is one IP 10.2 50 and one IP is 10.2.2 52 that I we have not configured anywhere so what I will do just hold on I have one H device also right so when I go here self IP can you see this so when we have an H guys in H you need to very much consider that your data traffic will always go when fi will communicate to the server your fi will translate your Source IP to the floting IP but I can see both 10250 also 10.2.2 52 also this is used for data traffic when F5 is connecting to the server and this traffic is used for health monitor we discussed about health monitor right in health monitor guys both the devices will monitor simultaneously whether f51 is active or f52 is standby both the devices will monitor respectively this will have an IP called 10.21 you will see and this will have 10.2 52 but all your data traffic will go via 10.2 do52 but right now I have H don't my FJ is down but still packet is going so question will be asked in interview guys which source IP it will take for health monitor whether it is a floting IP or a non floating IP so you should say non floating IP which traffic fi will translate when it goes to the server for data then you will say floating IP floating IP is for data traffic non- floating IP is for health monitor because both the devices will have non floating IP also so there are two types of Ip we discussed one is local only and one is floting for every interface we have three whe for every vand we have three IPS right let's say we have ven internal and we have F5 in h f51 f52 so this let's say this IP is 10. 2.50 non local IP this is local only and they will have one floating I so that is what it's showing now what I will do guys I will just reset this I will remove H configuration so that you will come to know that it will only have anyways let's keep it it does not impact anyways it will help you to capture but let me reset the device trust once I will go to H I will delete this I'm deleting H configuration so that it will only capture from one IP I will make this device as a stand alone now if I captured it you will see the difference I will close this close this I will initiate again I will close now and I will open this again I will refresh and I will move this now let's see what is the IP I can see I will open this packet capture right now there is no ha so let's see I think it's still taking but anyways not an issue uh mostly you will have your is in h only your F5 will be every time in h only so you should remember anyway still it's getting sin Sy acknowledgement then HTTP can you see this IP if I will do this let me see all the packet for this IP this will be a front end traffic I cannot see any communication from client to the server directly so what I will do quickly I will go to my virtual server I will remove snat now let uh my question is guys I have removed snat from my web this is my virtual server and I'm removed snat now what will be connections there will be client F5 then I have three servers red green blue what will be Source IP destination IP when F I will initiate a connection to the server what will be my source IP and destination IP that is our concern now so let's take a p packet capture again we are say that when snet is enabled your Source IP is getting translated into your self IP now I will capture again or I will give new file I will say no snet now I will open so it's G taking some time so I will just check rjb members okay there is one server so I will just refresh so somewhere it's taking time and not giving me what is the issue guys I have members okay ratio is there but round Dro in is there that's fine my servers are okay so still this page is not loading 192 168 1.80 is not loading properly so what is the issue it's giving me error so let's see what can be issue I have web up HTTP profile is there snat automap is none and my server Gateway is also okay okay my pool member RGB is also up still it's having issues so let's go into RGB server 10.2 do250 that is fine let me just reset all the servers because after doing changes I I thought that I did not do the reboot so might be that can be issues so let me reboot and try because whenever you do any changes on your server you need to reboot so I'm just rebooting goal and my capture is running I will stop this and I will again capture I will delete this file no snat and I will take the capture again so this is how you troubleshoot where can be issues you have taken the capture you can check that one server it's working second server so I will just run again my servers will get reset and I will show you again this is up this is up okay now let me refresh it should work now see guys now it is working now I will capture there was an issue that I added the Gateway but it did not take concentration because previously snat was enabled now it's fine now let's see that what are the packet it has captured whether source is getting translated or not I'll just go into here refresh noet I'll go to desktop and I will open this file now I will just select this file IP this one can you see this guys now you can also see that if I follow this now you will see that there is a direct client to server connection also previously when snat was enabled one session was client to F5 another session was F5 sell self IP to the server but when not when there is no snat in that case you will see one session from client to whip and one session from L to server because by default F5 only perform destination net which we discussed today I showed you through wir shock also there are two sessions one I I have I will show you client to whip and one is I am showing through client to server you will see all sessions if I will I will show you there is one session again I will apply filter ip. addr my virtual IP I will enter you will see one session TCP and check from client to whip also see 1.4 to 8 I will just follow TCP stream you will see Sin Sin so this confirmed that guys threeway hand check is working from client to F5 and F5 to the server so this is the basic syntax which generally people will ask now guys there are many other synex also now I only want to capture one virtual server there are let's say 10 virtual server 192 168 1.60 1. 180 1.90 I want to capture traffic only on this virtual server so what is the command so command for this is TCP dump host 192 168 1.60 so to view all packets very important command I need to view all packets that are traveling to and from for a specific IP address I want to see pack every packet going from this and replying back view all packets that are traveling to and from a specific IP previously we talked about interface level you can also mention particular IP based are you getting me I want to view all packets that are traveling to and from also guys there can be question that hey I I want to see only packets from virtual server sorry from this client to this client this is my client this is my server I want to see packet only this two I want see this when I access my virtual server let's say this virtual server sometimes it's sending packet to 10.2 do30 sometimes it's sending to 10231 sometimes it's sending to 10.2.32 but I want to see only packet from client this to this from Source specific host and destination specific host so in that case what you need to do you can the Syntax for that is TCP dump you can either write this post 192 I will just write that down TCP dump SRC host sorry command is TCP dump SRC host 192 168 1.4 and DST destination host is my server IP that is and right and means it will capture only this if this both conditions are true then only it will capture or means it can be many either this this or 10.2 do30 that is over or means any packet capture it will capture and means I'm specifying that I only want to capture traffic going from this machine to This Server it will not so any see here what I'm getting is I'm getting packet if I see all servers packet I'm getting here 10.2 do30 also I will see packets see this client is having connection to This Server also I will see packet for 31 also see this client is connecting to 31 also now if I enter 32 also I can see but I only want to see capture from 1.14 to 10.2.2 do30 so let's see TCP Dum Source host 192 16814 and DST host 10.2.2 32 I will just do it sorry but I have not given here file name I will just write minus W where temp r. pip refresh can you see right now there is no packet captured now what I will do I will say 1.80 let's say so I'm not getting packet so sometime this command if does not work you can do like this TCP dump host 192 168 1.4 and host 192 168 sorry 10. 232 minus W where temp r dot P now let me see if captured like this maybe Source host is not running that command so I've just I removed SRC and destination so let's see if I captured something just 0.0 okay so command guys that command would also work but I did not mention any interface right interface also I need to mention that from which interface because this is my external this is my internal so I will I need to mention this command and interface because it will captured on interface right now it has captured so this is the correct command TCP dump minus I I should mention first interface also host 192 168 1.4 and host 10.2.2 do30 to minus W where and temp so this will help you to capture all this traffic because I need to capture traffic on interface right if I don't mention any metion that it will not take it because traffic is coming on interface so that's why we need to mention the interface number also now let me open it I will refresh or I will remove it into desktop now you will see that only captures will be from 10.2.2 32 are you able to see any 30 IP IP do EDR 10 do 2 do 2.30 see 31 no 32 so that also confirm sometime people will say hey uh my customer will come into one requirement very important question guys which I'm asking now my customer will come into my requirement like I have a customer which has a URL CNET . IP is 192 168 1.80 he wants to see that whether traffic coming from my let's say one client going to F5 whether that traffic is going to Red server at a time or Not by default you can show them through the default packet capture we did but I only want to capture traffic from 192 168 1.4 to my red server so in that case that command is useful guys this command guys it will capture traffic from particular source to particular destination now guys if I want to in live production environment what is the best command to run when you have a production environment which is the TCP command which is suggested so that's what I'm running now so best command to run in production whenever customer report some issues let's say customer report issues that I am not able to access this virtual server what is the command this virtual server has three backend servers red green blue so I need to capture all the traffic going from this virtual server to red green blue what is the best command and this that command which I'm showing you that will help you every time guys you need to run that command only every time when someone reported some issues so just remember that command TCP dump minus I then 0 dot Z after that some generally guys somewhere you need to also mention this one there's s0o this is what I need to capture unlimited data s0 means there is a limit that I want to capture first 10 packets 20 packets or 30 packets S zero means I need to capture unlimited bucket then I will enter this minus n i 0.0 after that I will mention host 192 168 1 do 80 or host 30 or host 31 or host 32 then I will write this command on vam virtual. PK so this is the correct command in production environment to capture end to end traffic very important command guys you can note down at zero means unlimited packet length I don't want to limit the packets minus N means that don't convert host address to name this is used to avoid DNS lookups the this is to avoid DNS lookups minus s is unlimited data minus 0.0 any interface ni means to avoid DNS lookup and this is my whip IP this is my red green blue servers minus W is to write the packet capture file so this will capture and TW packet flow guys so please note down this command this will always help when someone report some issues related to F5 always run this command [Music]