F5 pcap capture and Wireshark review
5/8/20241 min read
I have been troubleshooting some virtual server site issues lately and could not find the commands to trail the logs when accessing the site. So this post is to store the commands that I found useful for easy review in the future;
Run these commands in bash. This command allows us to enable capture of the ssl provider
tmsh modify /sys db tcpdump.sslprovider value enable
This command allows us to run tcpdump on the F5 and capture a pcap file. You will need to know the destination Ip address to use this command
tcpdump -s0 -nni 0.0:nnn --f5 ssl -w /var/tmp/saml_cap.pcap -v host <destination address>
After running the command above, try accessing the site that you are troubleshooting so that you can capture logs to review later. When you are done capturing the pcap files you will need a tool like winSCP to access the file called saml_cap.pcap located in F5's /var/tmp/ folder. After retrieving the file and storing it on work workspace that has Wireshark, you can open the pcap file and review it.
If you want to read the http conversation you can go back to the terminal connected to the F5 and run this command
tshark -r /var/tmp/saml_cap.pcap -Y f5ethtrailer.tls.keylog -Tfields -e f5ethtrailer.tls.keylog | sed 's/,/\n/g' > /var/tmp/<nameyourpcap_cap>.pms grep limit /var/log/apm
You can access this file in the F5 the same way to copied the saml_cap.pcap file above from the /var/tmp/ folder. After copying this file onto you workspace follow the instructions in this link on how to import into Wireshark to decrypt you pcap capture.
Sometimes I want to make sure that the traffic that I am troubleshooting is going through the apm, so I run this command to confirm that the traffic is flowing in the designed path. The output from this command is a counter.
watch -n1 'tmsh show apm access client-ip <destination ip> all properties | egrep "^apm access|status" | grep "status pending" | wc -1
After running the command, I try accessing the site I am troubleshooting and then I check the counter. If greater than zero, it means that the apm is getting session connections to the site, which is a good sign.
Learn technology trends based on past projects
© 2024. All rights reserved.