SlideShare a Scribd company logo

F5 tcpdump

Download as PPTX, PDF
alex wade
alex wade

tcpdump overview

Technology
1 of 14
F5 TCPDUMP BY: ALEX WADE
BASICS
IN-LINE LOAD BALANCER With the in-line method the servers are behind the F5 and the F5 becomes the default gateway for the servers. This method preserves the source IP which is one of the best methods for non-HTTP applications and will also ease troubleshooting.
WHAT IS TCPDUMP TCPDUMP is a NETWORK PACKET ANALYZER. tcpdump uses libpacp/winpcap to capture data and uses it extensive protocol definitions build inside to analyze the captured packets. Its mainly used to debug the protocol of the captured packet which in turn reveals the network traffic characteristics.
CAPTURE FULL TRAFFIC FLOW Capturing traffic with TMM information for a specific traffic flow Beginning in BIG-IP 11.2.0, you can use the 'p' interface modifier with the 'n' modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0: tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1 Once tcpdump identifies a related flow, the flow is marked in TMM, and every subsequent packet in the flow (on both sides of the BIG-IP system) is written to the capture file.
TCPDUMP WITH SNAT -P FLAG TO THE RESCUE tcpdump -ni 0.0:nnnp -s 0 host client-ip -w /var/tmp/traffic_from_client.pcap Ex. tcpdump -ni 0.0:nnnp -s 0 host 10.100.100.102 -w /var/tmp/traffic_from_client.pcap Note: with the “-p” flag, you can narrow down by all traffic to that VIP as well if you put tcpdump -ni 0.0:nnnp -s 0 host <vip-ip> and port <vip-port> -w /var/tmp/traffic_to_vip.pcap Ex. tcpdump -ni 0.0:nnnp -s 0 host 1.1.1.1 and port 443 -w /var/tmp/traffic_to_vip.pcap you can always filter on either the client or server IP. so if you want to tcpdump traffic "behind" the F5 and can't use the client IP due to SNAT you can filter on the Node IP address(es).
SSL DUMP SSL handshake and other SSL record messages SSL connections are established on top of an existing TCP connection using an SSL handshake that accomplishes the following: • The client and server negotiate security capabilities, such as the public-key algorithm, the symmetric key algorithm, and compression algorithms. • The server transmits its certificate to the client, allowing the client to validate the identity of the server. • The client and server exchange session key information. • The client may also send its certificate to the server, allowing the server to validate the identity of the client. The handshake transactions consist of a number of SSL record messages. These messages can be examined by executing the ssldump utility using the -r option to specify the path and name of the tcpdump capture file to be examined. Other useful options include the following: • -n Do not resolve host names. • -A Print all fields (ssldump, by default, prints only the most interesting). • -e Print absolute timestamps. • -d Display application data, including traffic before session initiates. • -M Output a pre-master secret log file (v. 11.2.0 and later)
THE FOLLOWING COMMAND DISPLAYS ALL OF THE SSL RECORD MESSAGES FOUND IN THE TCPDUMP CAPTURE FILE NAMED WWW-SSL-CLIENT.CAP: SSLDUMP -NR /VAR/TMP/WWW-SSL-CLIENT.CAP THE SSL RECORDS PRINTED BY THE SSLDUMP UTILITY APPEAR SIMILAR TO THE FOLLOWING EXAMPLE: New TCP connection #2: 172.16.31.22(32866) <-> 192.168.1.8(8389) 2 1 0.0002 (0.0002) C>S Handshake ClientHello Version 3.0 resume [32]= a3 ca ad 46 95 5d 64 bb 33 ec b5 12 91 21 a3 50 d2 c0 c5 f6 67 c3 cc 9e c0 4a 71 1b 92 dc 58 55 cipher suites SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA ************************************ ServerHello Version 3.0 session_id[32]= a3 ca ad 46 95 5d 64 bb 33 ec b5 12 91 21 a3 50 d2 c0 c5 f6 67 c3 cc 9e c0 4a 71 1b 92 dc 58 55 cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA compressionMethod NULL 2 3 0.0277 (0.0000) S>C ChangeCipherSpec 2 4 0.0277 (0.0000) S>C Handshake 2 5 0.0282 (0.0005) C>S ChangeCipherSpec 2 6 0.0282 (0.0000) C>S Handshake 2 7 0.0282 (0.0000) C>S application_data 2 8 0.0289 (0.0006) S>C application_data 2 9 0.0289 (0.0000) S>C application_data 2 10 0.0292 (0.0003) C>S application_data 2 11 0.0296 (0.0003) S>C application_data 2 12 0.0296 (0.0000) S>C application_data
TYPICAL TCPDUMP SCENARIO A typical scenario would be to run simultaneous dumps on the internal and external VLANs (assuming the LTM is in a classic Layer 3 implementation), filtering on client IP or whatever else you are searching for. If packets appear on the external VLAN but not the internal, then there's likely a problem with the LTM configuration (particularly if you are seeing RST packets). If you see SYN packets on both the external and internal VLANs, but no ACK packets returning, then it is likely that the server either does not have its' gateway set to the BIG-IP, or it has another route (possibly via a 2nd NIC) to whatever the source network of the client is. Those are just a couple of examples of how tcpdump can help quickly resolve issues. Do be aware that the PVA (ASIC) can be handling some L4 traffic in hardware that won't show up in a regular tcpdump on an LTM VLAN. If need be you can dump on the 0.0 interface to see all traffic going through an LTM, but be careful doing that on a busy box if you don't appropriately filter the tcpdump by host
VIEW ENCRYPTED TRAFFIC INSIDE WIRESHARK • On Linux systems WireShark must be compiled against Gnu-TLS and GCrypt, not OpenSSL or some other encryption suite; not something to worry about on Windows systems. • The private key used to encrypt the data must be available on the system running Wireshark. • The private key file must be in the PEM or PKCS12 format; if it’s not you can use OpenSSL to convert what you have as appropriate, just Google it. • The private key file should only contain the private key, not the public key (aka the certificate). Files frequently contain both, check by viewing the file in a true text editor. You only need the text delimited by this; • Header: • —–BEGIN RSA PRIVATE KEY—– • Footer: • —–END RSA PRIVATE KEY—– • The capture must include both ‘sides’ of a conversation. In other words, the capture must include the full client and server exchange.
Configuring Wireshark to Decrypt Data In Wireshark click Edit>Preferences… Select and expand Protocols, scroll down (or just type ssl) and select SSL Click the RSA Keys List Edit… button, click New and then enter the following information; IP Address is the IP address of the host that holds the private key used to decrypt the data and serves the certificate (i.e. the decrypting host, the server) Port is the destination port used to communicate with the host that holds the private key used to decrypt the data and serves the certificate (i.e. the decrypting host, the server) Protocol is the upper-layer protocol encrypted by SSL/TLS, for instance, the protocol encrypted over a HTTPS web connection is HTTP Key File – select as necessary Password is the passphrase used to protect the private key file, if any I believe a wildcard IP address of 0.0.0.0 and wildcard port of 0 or data can be used. Optionally, enter the path and file name of a debug file that you might find useful in helping you diagnose any issues with the decryption. Note this may slow down the initial load of the capture file. Then simply open the capture and, if you’ve met all the requirements, you should find the application data has been unencrypted. If the standard SSL/TLS port isn’t being used you may need to select a relevant packet and then click Analyse > Decode As… and then select SSL.
Important: The capture must include the initial SSL/TLS session establishment. In other words, the CLIENTHELLO and SERVERHELLO exchange. Beware captures taken where a session has been resumed. Ideally, ensure any capture either a) is of packets related to an entirely new device connecting or b) where a device that has already previously established a session is used, it is used after a considerable time after the last session was established.
Things to Come: performance monitoring with SolarWinds. Overview: Configuring network monitoring with sFlow sFlow is an industry-standard technology for monitoring high-speed switched networks. You can configure the BIG-IP® system to poll internal data sources and send data samples to an sFlow receiver. You can then use the collected data to analyze the traffic that traverses the BIG-IP system. This analysis can help you understand traffic patterns and system usage for capacity planning and chargeback, troubleshooting network and application issues, and evaluate the effectiveness of your security policies.
• F5 Wireshark Plugin (Requires login) [Download plugin, Instructions, additional information] • https://devcentral.f5.com/articles/getting-started-with-the-f5- wireshark-plugin-on-windows • https://support.f5.com/csp/article/K10209 • https://support.f5.com/csp/article/K13637 • https://thecciejourney.wordpress.com/2014/11/23/wireshark-f5- plugins-make-for-easier-troubleshooting/ ADDITIONAL LINKS

Recommended

Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...
Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...
Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...David McGeough
 
ClearPass Guest Overview
ClearPass Guest Overview ClearPass Guest Overview
ClearPass Guest Overview Aruba, a Hewlett Packard Enterprise company
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix
 
Onboard Deployment Guide 3.9.6
Onboard Deployment Guide 3.9.6Onboard Deployment Guide 3.9.6
Onboard Deployment Guide 3.9.6Aruba, a Hewlett Packard Enterprise company
 
ClearPass Overview
ClearPass OverviewClearPass Overview
ClearPass OverviewJoAnna Cheshire
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass WorkshopAruba, a Hewlett Packard Enterprise company
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk managementAEC Networks
 
F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!Niasta Learning
 

Recommended

Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...
Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...
Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetS...David McGeough
 
ClearPass Guest Overview
ClearPass Guest Overview ClearPass Guest Overview
ClearPass Guest Overview Aruba, a Hewlett Packard Enterprise company
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix
 
Onboard Deployment Guide 3.9.6
Onboard Deployment Guide 3.9.6Onboard Deployment Guide 3.9.6
Onboard Deployment Guide 3.9.6Aruba, a Hewlett Packard Enterprise company
 
ClearPass Overview
ClearPass OverviewClearPass Overview
ClearPass OverviewJoAnna Cheshire
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass WorkshopAruba, a Hewlett Packard Enterprise company
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk managementAEC Networks
 
F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!F5 LTM Course by NIASTA Learning!
F5 LTM Course by NIASTA Learning!Niasta Learning
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAruba, a Hewlett Packard Enterprise company
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
BYOD with ClearPass
BYOD with ClearPassBYOD with ClearPass
BYOD with ClearPassAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPassAruba, a Hewlett Packard Enterprise company
 
NGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANNGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANMoti Sagey מוטי שגיא
 
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesRoanVillalobos1
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility ControllersAruba, a Hewlett Packard Enterprise company
 
NFV and OpenStack
NFV and OpenStackNFV and OpenStack
NFV and OpenStackMarie-Paule Odini
 
Aruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference GuideAruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference GuideAruba, a Hewlett Packard Enterprise company
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In KubernetesDon Jayakody
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba, a Hewlett Packard Enterprise company
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
Getting the most out of the Aruba Policy Enforcement Firewall
Getting the most out of the Aruba Policy Enforcement FirewallGetting the most out of the Aruba Policy Enforcement Firewall
Getting the most out of the Aruba Policy Enforcement FirewallAruba, a Hewlett Packard Enterprise company
 
NetScaler ADC - Customer Overview
NetScaler ADC - Customer OverviewNetScaler ADC - Customer Overview
NetScaler ADC - Customer OverviewMichelle Guerrero Montalvo
 
Cisco Catalyst 9000 Switching Family
Cisco Catalyst 9000 Switching FamilyCisco Catalyst 9000 Switching Family
Cisco Catalyst 9000 Switching FamilyMobeen Khan
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENPierpaolo Palazzoli
 

More Related Content

What's hot

Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesRoanVillalobos1
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In KubernetesDon Jayakody
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Cisco Catalyst 9000 Switching Family
Cisco Catalyst 9000 Switching FamilyCisco Catalyst 9000 Switching Family
Cisco Catalyst 9000 Switching FamilyMobeen Khan
 

What's hot (20)

Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
 
BYOD with ClearPass
BYOD with ClearPassBYOD with ClearPass
BYOD with ClearPass
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPass
 
NGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANNGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLAN
 
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility Controllers
 
NFV and OpenStack
NFV and OpenStackNFV and OpenStack
NFV and OpenStack
 
Aruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference GuideAruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference Guide
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In Kubernetes
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101
 
LTM essentials
LTM essentialsLTM essentials
LTM essentials
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
 
Getting the most out of the Aruba Policy Enforcement Firewall
Getting the most out of the Aruba Policy Enforcement FirewallGetting the most out of the Aruba Policy Enforcement Firewall
Getting the most out of the Aruba Policy Enforcement Firewall
 
NetScaler ADC - Customer Overview
NetScaler ADC - Customer OverviewNetScaler ADC - Customer Overview
NetScaler ADC - Customer Overview
 
Cisco Catalyst 9000 Switching Family
Cisco Catalyst 9000 Switching FamilyCisco Catalyst 9000 Switching Family
Cisco Catalyst 9000 Switching Family
 

Similar to F5 tcpdump

Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
Packet Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logPacket Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logRafat Khandaker
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterNetProtocol Xpert
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2Zobair Khan
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
Reconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern TroubleshootingReconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern TroubleshootingAvi Networks
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 

Similar to F5 tcpdump (20)

Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern Troubleshooting
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_EN
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
Netcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army KnifeNetcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army Knife
 
Packet Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logPacket Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-log
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS Router
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdf
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Firewall
FirewallFirewall
Firewall
 
Reconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern TroubleshootingReconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern Troubleshooting
 
Python networking
Python networkingPython networking
Python networking
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domain
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

F5 tcpdump

  • 3. IN-LINE LOAD BALANCER With the in-line method the servers are behind the F5 and the F5 becomes the default gateway for the servers. This method preserves the source IP which is one of the best methods for non-HTTP applications and will also ease troubleshooting.
  • 4. WHAT IS TCPDUMP TCPDUMP is a NETWORK PACKET ANALYZER. tcpdump uses libpacp/winpcap to capture data and uses it extensive protocol definitions build inside to analyze the captured packets. Its mainly used to debug the protocol of the captured packet which in turn reveals the network traffic characteristics.
  • 5. CAPTURE FULL TRAFFIC FLOW Capturing traffic with TMM information for a specific traffic flow Beginning in BIG-IP 11.2.0, you can use the 'p' interface modifier with the 'n' modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0: tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1 Once tcpdump identifies a related flow, the flow is marked in TMM, and every subsequent packet in the flow (on both sides of the BIG-IP system) is written to the capture file.
  • 6. TCPDUMP WITH SNAT -P FLAG TO THE RESCUE tcpdump -ni 0.0:nnnp -s 0 host client-ip -w /var/tmp/traffic_from_client.pcap Ex. tcpdump -ni 0.0:nnnp -s 0 host 10.100.100.102 -w /var/tmp/traffic_from_client.pcap Note: with the “-p” flag, you can narrow down by all traffic to that VIP as well if you put tcpdump -ni 0.0:nnnp -s 0 host <vip-ip> and port <vip-port> -w /var/tmp/traffic_to_vip.pcap Ex. tcpdump -ni 0.0:nnnp -s 0 host 1.1.1.1 and port 443 -w /var/tmp/traffic_to_vip.pcap you can always filter on either the client or server IP. so if you want to tcpdump traffic "behind" the F5 and can't use the client IP due to SNAT you can filter on the Node IP address(es).
  • 7. SSL DUMP SSL handshake and other SSL record messages SSL connections are established on top of an existing TCP connection using an SSL handshake that accomplishes the following: • The client and server negotiate security capabilities, such as the public-key algorithm, the symmetric key algorithm, and compression algorithms. • The server transmits its certificate to the client, allowing the client to validate the identity of the server. • The client and server exchange session key information. • The client may also send its certificate to the server, allowing the server to validate the identity of the client. The handshake transactions consist of a number of SSL record messages. These messages can be examined by executing the ssldump utility using the -r option to specify the path and name of the tcpdump capture file to be examined. Other useful options include the following: • -n Do not resolve host names. • -A Print all fields (ssldump, by default, prints only the most interesting). • -e Print absolute timestamps. • -d Display application data, including traffic before session initiates. • -M Output a pre-master secret log file (v. 11.2.0 and later)
  • 8. THE FOLLOWING COMMAND DISPLAYS ALL OF THE SSL RECORD MESSAGES FOUND IN THE TCPDUMP CAPTURE FILE NAMED WWW-SSL-CLIENT.CAP: SSLDUMP -NR /VAR/TMP/WWW-SSL-CLIENT.CAP THE SSL RECORDS PRINTED BY THE SSLDUMP UTILITY APPEAR SIMILAR TO THE FOLLOWING EXAMPLE: New TCP connection #2: 172.16.31.22(32866) <-> 192.168.1.8(8389) 2 1 0.0002 (0.0002) C>S Handshake ClientHello Version 3.0 resume [32]= a3 ca ad 46 95 5d 64 bb 33 ec b5 12 91 21 a3 50 d2 c0 c5 f6 67 c3 cc 9e c0 4a 71 1b 92 dc 58 55 cipher suites SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA ************************************ ServerHello Version 3.0 session_id[32]= a3 ca ad 46 95 5d 64 bb 33 ec b5 12 91 21 a3 50 d2 c0 c5 f6 67 c3 cc 9e c0 4a 71 1b 92 dc 58 55 cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA compressionMethod NULL 2 3 0.0277 (0.0000) S>C ChangeCipherSpec 2 4 0.0277 (0.0000) S>C Handshake 2 5 0.0282 (0.0005) C>S ChangeCipherSpec 2 6 0.0282 (0.0000) C>S Handshake 2 7 0.0282 (0.0000) C>S application_data 2 8 0.0289 (0.0006) S>C application_data 2 9 0.0289 (0.0000) S>C application_data 2 10 0.0292 (0.0003) C>S application_data 2 11 0.0296 (0.0003) S>C application_data 2 12 0.0296 (0.0000) S>C application_data
  • 9. TYPICAL TCPDUMP SCENARIO A typical scenario would be to run simultaneous dumps on the internal and external VLANs (assuming the LTM is in a classic Layer 3 implementation), filtering on client IP or whatever else you are searching for. If packets appear on the external VLAN but not the internal, then there's likely a problem with the LTM configuration (particularly if you are seeing RST packets). If you see SYN packets on both the external and internal VLANs, but no ACK packets returning, then it is likely that the server either does not have its' gateway set to the BIG-IP, or it has another route (possibly via a 2nd NIC) to whatever the source network of the client is. Those are just a couple of examples of how tcpdump can help quickly resolve issues. Do be aware that the PVA (ASIC) can be handling some L4 traffic in hardware that won't show up in a regular tcpdump on an LTM VLAN. If need be you can dump on the 0.0 interface to see all traffic going through an LTM, but be careful doing that on a busy box if you don't appropriately filter the tcpdump by host
  • 10. VIEW ENCRYPTED TRAFFIC INSIDE WIRESHARK • On Linux systems WireShark must be compiled against Gnu-TLS and GCrypt, not OpenSSL or some other encryption suite; not something to worry about on Windows systems. • The private key used to encrypt the data must be available on the system running Wireshark. • The private key file must be in the PEM or PKCS12 format; if it’s not you can use OpenSSL to convert what you have as appropriate, just Google it. • The private key file should only contain the private key, not the public key (aka the certificate). Files frequently contain both, check by viewing the file in a true text editor. You only need the text delimited by this; • Header: • —–BEGIN RSA PRIVATE KEY—– • Footer: • —–END RSA PRIVATE KEY—– • The capture must include both ‘sides’ of a conversation. In other words, the capture must include the full client and server exchange.
  • 11. Configuring Wireshark to Decrypt Data In Wireshark click Edit>Preferences… Select and expand Protocols, scroll down (or just type ssl) and select SSL Click the RSA Keys List Edit… button, click New and then enter the following information; IP Address is the IP address of the host that holds the private key used to decrypt the data and serves the certificate (i.e. the decrypting host, the server) Port is the destination port used to communicate with the host that holds the private key used to decrypt the data and serves the certificate (i.e. the decrypting host, the server) Protocol is the upper-layer protocol encrypted by SSL/TLS, for instance, the protocol encrypted over a HTTPS web connection is HTTP Key File – select as necessary Password is the passphrase used to protect the private key file, if any I believe a wildcard IP address of 0.0.0.0 and wildcard port of 0 or data can be used. Optionally, enter the path and file name of a debug file that you might find useful in helping you diagnose any issues with the decryption. Note this may slow down the initial load of the capture file. Then simply open the capture and, if you’ve met all the requirements, you should find the application data has been unencrypted. If the standard SSL/TLS port isn’t being used you may need to select a relevant packet and then click Analyse > Decode As… and then select SSL.
  • 12. Important: The capture must include the initial SSL/TLS session establishment. In other words, the CLIENTHELLO and SERVERHELLO exchange. Beware captures taken where a session has been resumed. Ideally, ensure any capture either a) is of packets related to an entirely new device connecting or b) where a device that has already previously established a session is used, it is used after a considerable time after the last session was established.
  • 13. Things to Come: performance monitoring with SolarWinds. Overview: Configuring network monitoring with sFlow sFlow is an industry-standard technology for monitoring high-speed switched networks. You can configure the BIG-IP® system to poll internal data sources and send data samples to an sFlow receiver. You can then use the collected data to analyze the traffic that traverses the BIG-IP system. This analysis can help you understand traffic patterns and system usage for capacity planning and chargeback, troubleshooting network and application issues, and evaluate the effectiveness of your security policies.
  • 14. • F5 Wireshark Plugin (Requires login) [Download plugin, Instructions, additional information] • https://devcentral.f5.com/articles/getting-started-with-the-f5- wireshark-plugin-on-windows • https://support.f5.com/csp/article/K10209 • https://support.f5.com/csp/article/K13637 • https://thecciejourney.wordpress.com/2014/11/23/wireshark-f5- plugins-make-for-easier-troubleshooting/ ADDITIONAL LINKS

Editor's Notes

  1. LinkedIn profile: linkedin.com/in/alex-wade-947ab565