F5 TCPDUMP

tcpdump -i internal
tcpdump -i 1.2
tcpdump -i eth0
tcpdump -i eth0 -nn
tcpdump -i 1.1
tcpdump -i 0.0 -w /var/tmp/New-TCPDMP.pcap
tcpdump -i 0.0 -w /var/tmp/New-TCPDMP.pcap -s0
cd /var/tmp
tcpdump -i 0.0 -s0 arp -nn
tcpdump -i 0.0:p host 192.168.1.92
tcpdump -i 0.0:p host 192.168.1.101 -nn
tcpdump -i 0.0:p host 192.168.1.92 and not tcp port 22 -nn
tcpdump -i 0.0:p host 192.168.1.92 and not tcp port 443

Show Configuration

tmsh show running-config /ltm

tmsh list ltm

tmsh list /ltm virtual all-properties
tmsh list /ltm virtual PiServer

tmsh list /ltm pool all-properties

tmsh list /ltm pool HTTP-WEB-123
tmsh list /ltm pool HTTP-WEB-123 all-properties

tmsh list /ltm node all-properties

show sys self-ip

tail -f /var/log/ltm/

-------

tcpdump -s0 -nn -i 0.0 -vvv -l -x host x.x.x.x and port yyy -w /tmp/outfile.cap

tcpdump -vvv -s 0 -nni internal -w /var/tmp/www-ssl-server.cap host 192.168.22.33

and net 10.1.1.0/24 and port 8080

The traffic matching the specified filter is saved to the indicated capture file.

The options used are:

-vvv Maximum verbosity

-s Snaplength (0 captures full packets)

-nn Do not resolve host or service names

-i Interface - can be ifname or vlan name

-w Write output to file

Useful to do
one on client side (filter on source IP)

one on server side (filter on backend server IP)

Then run ssl against capture file

ssldump �Anr outfile.cap

More info here

� https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html

Compare ssldump output with

� https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html

---

This tcpdump uses the �p flag to capture �peer� flows when traffic is snatted on
the serverside. This means you can see the traffic from a host coming in to the F5
and going out to the load balanced destination on a single capture.

tcpdump �vni 0.0:nnnp �s 0 �w /tmp/capture.pcap host x.x.x.x

Traffic matching the query is saved to the capture file after the �w.The �v enables
you to see how many packets are being captured and the �w sends the output to a
file.

-----

Testing a Virtual server on a F5

It may sound obvious but an f5 can be used to loop back on itself to test if the
virtual server is working. A simple test would be telnet. This can be run from the
live F5, the bellow command is to run this test when running multiple route domains
on a f5

rdexec <routing instance number> telnet <serverIP> <port number>

example bellow for routing instance 2 server 192.168.1.1 over port 443

rdexec 2 telnet 192.168.1.1 443

taking this one step further to check if the SSL handshake is working and that
there is a certificate being offered, a test can be sent to the virtual server to
check that there is termination or pass through. Then if that fails from the F5 to
the back end server in question. This can be used in conjunction with TCP DUMP and
SSL DUMP to nail the issue. The command bellow will again use route domain 2 and
will display the certificate that is handed out by the server.

rdexec 2 oppenssl s_client �showcerts � connect 192.168.1.1:443