F5 TCPDUMP Show Configurationtcpdump -i internal tcpdump -i 1.2 tcpdump -i eth0 tcpdump -i eth0 -nn tcpdump -i 1.1 tcpdump -i 0.0 -w /var/tmp/New-TCPDMP.pcap tcpdump -i 0.0 -w /var/tmp/New-TCPDMP.pcap -s0 cd /var/tmp tcpdump -i 0.0 -s0 arp -nn tcpdump -i 0.0:p host 192.168.1.92 tcpdump -i 0.0:p host 192.168.1.101 -nn tcpdump -i 0.0:p host 192.168.1.92 and not tcp port 22 -nn tcpdump -i 0.0:p host 192.168.1.92 and not tcp port 443 tmsh show running-config /ltm tmsh list ltm tmsh list /ltm virtual all-properties tmsh list /ltm pool all-properties tmsh list /ltm node all-properties show sys self-iptail -f /var/log/ltm/ ------- tcpdump -s0 -nn -i 0.0 -vvv -l -x host x.x.x.x and port yyy -w /tmp/outfile.cap tcpdump -vvv -s 0 -nni internal -w /var/tmp/www-ssl-server.cap host 192.168.22.33 and net 10.1.1.0/24 and port 8080 The traffic matching the specified filter is saved to the indicated capture file. The options used are: -vvv Maximum verbosity -s Snaplength (0 captures full packets) -nn Do not resolve host or service names -i Interface - can be ifname or vlan name -w Write output to file Useful to do one on client side (filter on source IP) one on server side (filter on backend server IP) Then run ssl against capture file ssldump –Anr outfile.cap More info here · https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html
Compare ssldump output with · https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html ---
This tcpdump uses the –p flag to capture “peer” flows when traffic is snatted on the serverside. This means you can see the traffic from a host coming in to the F5 and going out to the load balanced destination on a single capture. tcpdump –vni 0.0:nnnp –s 0 –w /tmp/capture.pcap host x.x.x.x Traffic matching the query is saved to the capture file after the –w.The –v enables you to see how many packets are being captured and the –w sends the output to a file. -----Testing a Virtual server on a F5It may sound obvious but an f5 can be used to loop back on itself to test if the virtual server is working. A simple test would be telnet. This can be run from the live F5, the bellow command is to run this test when running multiple route domains on a f5 rdexec <routing instance number> telnet <serverIP> <port number> example bellow for routing instance 2 server 192.168.1.1 over port 443 rdexec 2 telnet 192.168.1.1 443 taking this one step further to check if the SSL handshake is working and that there is a certificate being offered, a test can be sent to the virtual server to check that there is termination or pass through. Then if that fails from the F5 to the back end server in question. This can be used in conjunction with TCP DUMP and SSL DUMP to nail the issue. The command bellow will again use route domain 2 and will display the certificate that is handed out by the server. rdexec 2 oppenssl s_client –showcerts – connect 192.168.1.1:443 |
F5 DUMP >