NimbostratusHello Everyone,
I want to run a capture on a specific vip for 1 week. is there a way to keep writing the capture on file for such a long time.
or if i can turn on the logging on the specific vip and later extract the logs.
i need to see, what all ips are hitting this specific vip, as application team migrated some servers, but there a many devices which are still pointing to this vip.
thanks in advance. Adnan.
NimbostratusIf I had to do something similar like that I would pipe the output of tcpdump to an ssh tunnel, write/save the output to wireshark directly.
example on a windows machine (need plink and wireshark)
"c:\plink.exe" -l username -pw password ipaddress_of_f5_mgmt_interface "tcpdump -w - -s0 -ni 0.0:nnn host x.x.x.x and port yyy" | "c:\Program Files\Wireshark.exe" -k -i -There's wireshark start options to auto save files after certain size and auto roll saved file names(you'd have to figure that out). The -s0 is for full packet snaplen, you could change that to only log the first few bytes of the header you need, to reduce the data. Also you can adjust the tcpdump filters if you need.
CumulonimbusIf all you need is to capture the client IP I would say tcpdump is overkill as you could simply log the IP address via an iRule and simply assign it to each Virtual Server to want to log.
The following iRule would log remotely to a syslog server in
172.27.31.10when CLIENT_ACCEPTED {
log 172.27.31.10 local0.info "Client Connected, IP: [IP::client_addr]"
}
If you wanted to log locally simply remove the remote IP from the
log/var/log/ltm