tcpdump excluding monitor traffic

This has always been a pain. To help with this, I have try where possible to use a SNAT pool rather than automap. However, it's obviously too late for that now. You could do it with two passes through tcpdump. The first pass you capture traffic to the virtual IP and include the 😛 flag. You then filter the output of that to exclude the VS IP:

tcpdump -i external:nnnp -s0 -w - host 10.1.2.3 | tcpdump -r - -s0 not host 10.1.2.3

Or, probably more usefully, save the capture from the first command, and process it afterwards:

tcpdump -i external:nnnp -s0 -w /var/tmp/my.cap host 10.1.2.3
tcpdump -r /var/tmp/my.cap -s0 not host 10.1.2.3

That's off the top of my head, I haven't tested it. If it's not quite right, hopefully you get the idea.

Hi,

 

I guess your suggestion about not using automap but rather separate SNAT pool (even with one IP) is most valuable. I was not thinking about it as a way to simplify troubleshooting but it seems to be a way to go - if there are any spare IP's to use.

 

Going back to tcpdump examples. I am quite new in this area so to be sure:

 

First dump is capturing complete flow so both client<->VIP and SNAT<->Server

 

Second is removing all connections on client side

 

Am I right? If so it seems to be quite useful method.

 

Piotr

 

Hi Piotr,

in the tcpdump expample provided by uni you will notice the usage of "-i" parameter to determine the interface.

F5 has added some options to improve tracking traffic.

Using interface 0.0 allows capturing traffic internally on all VLANs.

The internal capture allows in addition the use of the "noise" flags, "nnn".

Last but not least there is the "p" flag for interface definition to capture peer traffic.

With the "p" flag you can set a filter on a clientside parameter, i.e. client IP or virtual server IP and the trace will include the related serverside traffic as well, SNATed or not. No worries about filtering out the monitoring traffic.

Uni has also added the "-s" parameter for packet size specification. Set it to "0" to capture the full packet length. This will be necessary to dump the internal ethernet trailer information (aka "noise").

To decode the "noise" in WireShark you may want to download the WireShark Plugin provided by F5.

So the tcpdump would look like this:

tcpdump -i 0.0:nnnp -s 0 -w /var/tmp/mytrace.cap host   

This kind of trace will contain the serverside traffic as well. Feel free to add filters according to your specific needs.

Thanks, Stephan

Hi Stephan,

 

Thanks for explanation. I missed that external is used for -i. I am novice but already learned a bit about noise and p parameter :-) I am curious if -i external:nnnp will indeed catch full flow - both client and server side or just client side part? I had impression that to catch full flow 0.0 has to be used? As far as I understand, in case of using p parameter monitor traffic is automatically excluded, even if server ip is used for host parameter (let's say I do not know client IP or would like to catch all SNAT<->server traffic)

 

Considering your example, to get just server side traffic from the dump I still need to use tcpdump -r /dump.cap not host ? I assume that in case of reading dump file using -i is not necessary or it is?

 

Piotr