How can I follow a HTTPS connection from a specified client IP

Question

Hello, I have a HTTP virtual server IP in production. Behind that Virtual server there is pool with 3 members. I'd like to troubleshooting connection from my ip client to server to see the entire flow (from client to virtaul server and from ltm to server).&nbsp;
I'm intersted to se HTTP messages from client to server. I used tcpdump to capture all traffic directed to virtual server ip and to pool server ips. Afterword I read the file captured with wireshak and tried to filter only my connection.&nbsp;
What I'm not able to do is to put in relation the client side connection with the server side connection. I mean client start a connection and BIG-ip proxy it to a server. Ho w can I follow the client connection from client to server since BIG-IP proxy it ?&nbsp;
Should insert sesion cookies ? can I do directly on ltm without tcpdump ?&nbsp;

torti · Answer

you could insert a header with the client ip via an irule (i.e. x-forwarded-for). this can be done with a http profile automatically, too. Then you have to capture a dump from both sites. With wireshark, you can search for the x-forwarded-for header, now.

helenio · Answer

Great !! I didn't think about that ... Thanks.&nbsp;

uni_87886 · Answer

The version of tcpdump which comes with the latest versions of the BigIP software (not sure when it appeared, sorry. Certainly 11.4.0) there is an option to follow the associated flow.
You need to specify a vlan in the interface, and add 😛 (no, that is not a smiley :P)
For example
tcpdump -v -s0 -w my.cap -i external:p host 10.1.2.3

There are some other cool flags added to tcpdump too. Check the man page under the -i flag.

uni · Answer

The version of tcpdump which comes with the latest versions of the BigIP software (not sure when it appeared, sorry. Certainly 11.4.0) there is an option to follow the associated flow.
You need to specify a vlan in the interface, and add 😛 (no, that is not a smiley :P)
For example
tcpdump -v -s0 -w my.cap -i external:p host 10.1.2.3

There are some other cool flags added to tcpdump too. Check the man page under the -i flag.

uni · Answer

I checked the release notes. The :p flag was introduced in 11.4.0

Forum Discussion

How can I follow a HTTPS connection from a specified client IP

8 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Get virtual servers, pools, pool members, statuses and connections on a specified LTM

Troubeshooting website connection

Force BotDefense Captcha on Specified URL

F5 Connection Mirroring question

how to specify partition in bigrest delete()?