NimbostratusHow to filter between regular data traffic and health monitor traffic with tcpdump?
Is there a way to use tcpdump to filter out normal data traffic and health monitor traffic, going to the same server on the same port. For example, a pool member is configured for 10.10.10.10:2222, and the health monitor is configured to check TCP port on 2222 as well. When doing a tcpdump for host 10.10.10.10 and port 2222, I'm going to see both normal data traffic and health monitor traffic at the same time. How can I separate this traffic so that all I see is the health monitor traffic, whether from a tcpdump or wireshark?
There are a few options, depending on your architecture/configuration. A main difference between monitor traffic and production traffic is the monitor will use a non-floating Self IP of the device, whereas production traffic may use a floating Self IP. If you have an HA pair, you may already have a floating Self IP. If not, you can set one up (just watch your backend firewall rules if you have any).
Then filter based on the source being either the floating (production) or non-floating (monitor).
Another method is to use a Send String inside your monitor (provided your backend application can listen for and parse the data) and then filter based on finding that string in the payload.
