Solved: TCPDUMP on a F5 1600 Load balancer - capturing data IN/OUT

Create Account

Networking

Questions

Followers

Top Experts

ccfcfc🇬🇧

TCPDUMP on a F5 1600 Load balancer - capturing data IN/OUT

Have a F5 LTM 1600 load balancer running 10.2.1

I am using interface 1.2 /VLAN called STAGING_DMZ.
I am wanting to capture traffic going into 1.2 and backout. But it seems when I am in WIRESHARK I only get traffic passing out to the backend severs. The virtual server has an SSL Client profile against it HTTP traffic coming in but I do not. Is there anyway to ensure my TCPDUMP is capturing both ways on the interface ?
I have used the syntax below using also -i 1.2 which makes no difference.

Syntax USed :-
tcpdump -i STAGING_DMZ -s 2048 dst 192.168.53.1 -w /var/tmp/test.cap

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

giltjr🇺🇸

The dump command you have will capture all IP traffic on the VLAN STAGING_DMZ where the destination IP address is 192.168.53.1. If that is the IP address of the backend host, then you will NOT get any traffic coming from it.

What you most likely want is:

tcpdump -i STAGING_DMZ -s 2048 host 192.168.53.1 -w /var/tmp/test.cap

This will capture all IP traffic to and from 192.168.53.1 that goes across the Interface STAGING_DMZ.

ccfcfc🇬🇧

ASKER

I was looking for the traffic that goes into the VLAN (1.2) from the OUTSIDE firewall as it connects to a DMZ zone. I know F5's use the same interface for Ingress and Egress packets

I only seemed to see the Egress traffic. I also need to see the Ingress (into the interface from the outside firewall)

Hope that makes sense ?

giltjr🇺🇸

"VLAN (1.2)" VLAN and interface 1.2 can be two different things.

Are you saying you have 1 physical interface with multiple VLAN's assigned? If so, then you need to run two tcpdump's at the same time, one on each VLAN.

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

ccfcfc🇬🇧

ASKER

No the interface is 1.2. It has a VLAN name The traffic is assigned to that VLAN .
I have used the -i siwtch with 1.2 and -i <VLAN Name> and still I do not seem to be getting Ingress and Egress Traffic.

giltjr🇺🇸

I don't really understand what you trying to capture.

Are you trying to capture traffic to/from a virtual host or a member of a pool?

ccfcfc🇬🇧

ASKER

We are trying to capture SSL traffic into the load balancer before the SSL certificate and encryption has been processed and stripped out.

We want to see the still encrypted HTTPS data, rather than the HTTP data that leaves the load balancer to be forwarded to the pool members.

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

ASKER CERTIFIED SOLUTION

giltjr🇺🇸

membership

Signing up is free and takes 30 seconds. No credit card required.

Create Account

ccfcfc🇬🇧

ASKER

Thanks, I assume unless you specify the 443 traffic it will just capture the normal http traffic ?

giltjr🇺🇸

If you do not specify a tcp port number, it will capture all traffic to/from that IP address: http, https, ssh, ftp, telnet, icmp and anything else that host may service or that somebody may attempt to use.

ccfcfc🇬🇧

ASKER

It also seems that If I do not specify a port then it only captured HTTP traffic and no HTTPS traffic. If I need both I will need to run 2 tcpdumps I assume ?

But thanks looking back I should have thought of that, just though if I selected the interface it would capture all Ingress and Egress.

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

giltjr🇺🇸

If you do not specify a port it will capture everything going in and out of that interface. If you are not seeing port 443 traffic, then during the time tcpdump was running there was no port 443 traffic on that interface.

ccfcfc🇬🇧

ASKER

Perhaps. But thanks

Networking

Questions

Followers

Top Experts

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.