Is threre a possibility to trace / netmon Big-IP ?

To capture packets on the F5 you could use tcpdump;

 

 

This venerable (now 25 year old) and invaluable troubleshooting and analysis packet capture tool is available in the Advanced Shell, tmsh and the GUI.

 

 

tcpdump help text can be displayed with the man tcpdump command in the Advanced Shell or the help util tcpdump command in tmsh.

 

When your BIG-IP is configured in Appliance Mode, this command is not directly available. Use the tmsh run util tcpdump command path instead.

 

 

Common and useful options include;

 

•-i name – capture packets only on the specified interface (use any or 0.0 for all interfaces)

 

•-v – display verbose output (more packet detail)

 

•-n – don’t resolve IP addresses to hostnames

 

•-w /dir/filename – write output to a file (that you can later use with Wireshark or a tool of your choice)

 

•-e – capture link layer (layer two, data link) headers

 

•-X – display packet contents in Hex and ASCII

 

•-s nn – capture the specified number of bytes of each packet (the default is 68 bytes, use –s0 to capture each entire packet)

 

 

Some example command usage;

 

•tcpdump –i internal port 80 – capture packets to or from port 80 on VLAN ‘internal’

 

•tcpdump –i all –w /tmp/nodecapture –v –s0 dst 1.1.1.1 – capture the entire contents of packets with a destination IP address of 1.1.1.1 on all interfaces

 

•run util tcpdump –i external –nn –v –X –s0 port 80 and host 1.1.1.1 – capture the entire contents of packets to or from port 80, to or from IP address 1.1.1.1 on VLAN external and display the packet contents in ASCII

 

 

tcpdump output can be considerable if the network traffic your expression defines is considerable; particularly if you are capturing more than the default 68 Bytes of packet content.

 

 

Capturing packets, for example, related to a large file transfer or a web server being actively used by hundreds or thousands of clients will produce an overwhelming amount of output. If writing this output to stdout you will probably be unable to enter commands in your terminal, if writing to a file you may exhaust the host's disk space. In either case tcpdump is also likely to consume a great deal of CPU and memory resources.

 

 

To avoid these issues;

 

•Be very careful when specifying expressions and try to make them as specific as possible.

 

•Don't capture during times of heavy traffic/load.

 

•If you wish to capture entire packet contents, do a test capture only capturing the default 68Bytes first and make a judgement on whether the system will cope with the full packet content capture.

 

•Where writing to disk, carefully monitor the size of the file and ensure the host in question has the likely disk resources required available, or use the -c parameter to limit the number of packets captured.

 

•Never use an expression that would capture traffic to or from your remote telnet/SSH/whatever terminal/shell. tcpdump output would generate traffic to your terminal, resulting in further output, resulting in more traffic to your terminal and so on in an infinite and potentially harmful feedback loop.

Also, I believe netmon can read tcpdump generated libpcap files as well.