Something I always do is capture some more information on the BIG-IP and use Wireshark to filter it out.
This command is what F5 Support usually use:
tcpdump -nn -s0 -i 0.0:nnnp -w /shared/tmp/Cxxxx_tcpdump_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap host x.x.x.x or host y.y.y.y or host z.z.z.z- x.x.x.x = IP address of client connecting to the virtual server. Or if this IP address is unknown, the IP address of the virtual server.
- y.y.y.y = IP address of first pool member
- z.z.z.z = IP address of second pool member.
The -i 0.0:nnnp flag will capture traffic on all VLANs and it will also enable the F5 Ethernet Trailer. The F5 Ethernet trailer will gather F5 specific information which can be analyzed in Wireshark.
Getting Started with the F5 Wireshark Plugin on Windows
Then, using the F5 Ethernet Trailer, I filter out the sessions based on the Flow Session ID, captured by the F5 Ethernet Trailer. Jason describes it in detail in the same article.
That way, the tcpdump syntax is easy to remember, it does not miss any information and it is quick to work with in Wireshark.
But that is how I usually work with tcpdumps.
I also found this really nice lab exercise that F5 has created on CloudDocs which covers TCPdump and involves Wireshark and the plugin:
Troubleshoot with tcpdump and Wireshark
Here is an example…..
Scenario is I want to capture if LDAPS traffic is having issues from SMTP Servers (10.40.89.250 & 10.40.89.253) going towards an LDAPS Virtual Server (10.40.69.32:636) and it has a pool with these pool members (10.40.151.234, 10.40.151.235, 10.40.151.236).
I log into the cli of the F5 LTM that hosts that Virtual Server and I run two commands to kick off the tcpdump
tmsh modify sys db tcpdump.sslprovider value enable
tcpdump -s0 -nni 0.0:nnnp --f5 ssl host 10.40.89.250 or host 10.40.89.253 or host 10.45.89.250 or host 10.45.89.253 -vw /var/tmp/LDAPS_$HOSTNAME"."$(date +%Y%m%d_%H_%M).pcapThen I clone that session and I run this command to see if anything pops up in my logs
tailf /var/log/ltm | egrep '10.40.69.32|10.40.151.234|10.40.151.235|10.40.151.236'Then I clone that session and randomly check connections on the box
tmsh show sys connection | egrep '10.40.69.32|10.40.151.234|10.40.151.235|10.40.151.236'Finally monitor the .pcap file to make sure it doesn’t get too big
ls -ltrh /var/tmp/*.pcapThats my example (IP Addresses just random to show you an example that works for me).
I try and capture 30minutes of traffic if the File Size of the .pcap doesn’t get too big.