Undestanding TCP dump on BIG IP LTM

By | July 10, 2020

TCPDUMP is one of the most powerful packet analyzer that we can run on command line interface at the time of troubleshooting to display TCP IP packets that being transmitted or received over a network. It can run on most of the Unix/Linux flavors and it also allow us to save the file which we can view it using software like Wireshark.

As we know the BIG IP LTM also run on Linux operating system, so in today article we will discuss and understand how we can use TCPDUMP on different scenario to capture the packets on it. Let’s begin

Topology:

If we look at our above simple topology, BOB here is trying to access web server resource at the Farm by directly typing VIP IP address 192.168.50 [to make process simple I have removed the DNS process here] in his web browser. Once the traffic hit to VIP created on LTM, the BIG IP LTM distribute traffic to these three server based on load balancing algorithm (round robin – default). Let’s see now how we can use TCP dump to analyze this communication.

Before we run TCPDUMP on LTM, we also require to have basic understanding of some of the options which we can use along with it.

Options:

-i = allows you to filter the packets on a particular Ethernet interface.

-c = allow us to specify the number of packets to capture.

-s = allow us to specify size of the packet capture. This option is require because by default BIG IP only capture first 96Bytes.

-w = allow us to save the file in pcap format.

-r = allow use to read the file from local memory.

-n= allow us to not use domain name in the packets

Let’s filter the packets now

  1. By default when we just type TCPDUMP on BIGIP running on VMware machine without any option it will display the packets being transmitted and received on management interface.

tcpdump

In our topology we can see ssh traffic being initiated from our computer 10. 1.0.1 to BIG IP Gajanan.network-root.com.ssh [domain-name]

[root@BIG-IP-LTM-Gajanan:Active:Disconnected] config # tcpdump

09:05:30.776793 IP 10.1.0.1.17862 > BIG-IP-LTM-Gajanan.network-root.com.ssh: . ack 2075444 win 252

09:05:30.777011 IP BIG-IP-LTM-Gajanan.network-root.com.ssh > 10.1.0.1.17862: P 2075704:2075868(164) ack 13057 win 501

09:05:30.777061 IP 10.1.0.1.17862 > BIG-IP-LTM-Gajanan.network-root.com.ssh: P 13057:13109(52) ack 2075704 win 251

09:05:30.777159 IP BIG-IP-LTM-Gajanan.network-root.com.ssh > 10.1.0.1.17862: P 2075868:2076128(260) ack 13109 win 501

If we don’t want to see name resolution than we can append the key word –nn and now we will be able to see actual IP address instead of domain name.

[root@BIG-IP-LTM-Gajanan:Active:Disconnected] config # tcpdump -nn

22:29:51.224946 IP 10.1.0.1.62058 > 10.1.0.145.22: . ack 187972 win 256

22:29:51.224959 IP 10.1.0.145.22 > 10.1.0.1.62058: P 187972:188104(132) ack 273 win 652

22:29:51.232457 IP 10.1.0.145.22 > 10.1.0.1.62058: P 188104:188380(276) ack 273 win 652

22:29:51.232545 IP 10.1.0.1.62058 > 10.1.0.145.22: P 273:325(52) ack 188104 win 256

  1. If we want to check communication between client and Big IP than we just need to run the tcp dump command on external interface or external VLAN of BIG IP.

Specifying VLAN

tcpdump -i external

Specifying external interface 1.1

tcpdump -i 1.1

In our topology we have executed this command on external interface of BIG IP and we can see TCP 3 Hand way shake is successful being established between client Bob with IP address 192.168.0.3 Source port 20463 and BIG IP VIP address 192.168.0.50 destination port on port http [80].

09:59:57.530894 IP 192.168.0.3.20463 > 192.168.0.50.http: S 109748317:109748317(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> in slot1/tmm0 lis= – Syn Packet

09:59:57.530989 IP 192.168.0.50.http > 192.168.0.3.20463: S 109748250:109748250(0) ack 109748318 win 4380 <mss 1460,nop,wscale 0,sackOK,eol> out slot1/tmm0 lis=/Common/our-pool – Syn Ack

09:59:57.541512 IP 192.168.0.3.20463 > 192.168.0.50.http: . ack 1 win 16425 in slot1/tmm0 lis=/Common/our-pool – Ack Packet

  1. If we want to check communication between BIG IP and backend Server than we just need to run the tcp dump on internal interface or internal VLAN of BIG IP.

Specifying internal vlan

tcpdump -i internal

Specifying internal interface 1.1

tcpdump -i 1.1

Note: If we want to specify all interface and vlan than we can just need to use number 0.0 along with –i

Tcpdump -i 0.0

In our topology we have executed this command on internal interface and we can see TCP 3 Hand way shake is successful being established between BIG IP LTM with source 192.168.0.3 Source port 20463 [ P address and port number will remain same as actual client unless it use SNAT ] and Backend Server 10.2.0.11 destination port http [80].

10:15:45.683558 IP 192.168.0.3.20463 > 10.2.0.11.http: S 3178083344:3178083344(0) win 4380 <mss 1460,nop,wscale 0,sackOK,eol> Syn Packet

10:15:45.706714 IP 10.2.0.11.http > 192.168.0.3.20463: S 711766836:711766836(0) ack 3178083345 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7> Syn Ack

10:15:45.706731 IP 192.168.0.3.20463 > 10.2.0.11.http: . ack 1 win 4380 Ack Packet

Please note BIGIP is full proxy so client TCP connection will terminate at BIGIP and BIGIP will create new TCP session with Backend Server.

  1. In above example, we had to filter the specific ip address manually from bunch of communication so if we want to filter specific communication between one specific client and server than we need to specify their corresponding IP address.

Tcpdump host <IP address>

tcpdump src host <IP address> or dst host <IP address>

In our topology, we have executed this command on internal interface to see BIG IP communication [originating HTTP packet from self ip address: 10.2.0.145] with Backend server 10.2.0.11 from health monitor [used to check the status (live or dead ) of server] perspective.

Please note, if we are filtering based client IP address and if we are using Source NAT on BIG IP than we require to append keyword “ P “ to see the end to end communication[ client –LTM- server] as in source NAT, the actual ip address of client will change [ if AutoMap used it would be self ip address of internal interface and If pool is being used than it would be any ip address from that list of address ] and if we don’t use key word P than we will not able to capture the BIGIP communication with backend server.

tcpdump -i 0.0:p host 10.92.168.0.3

  1. If we want to filter communication based on protocol [e.g. ARP, HTTP] than we need to specify name of protocol.

tcpdump -i internal arp


In our topology we have executed this command on internal interface to filter ARP packets

[root@BIG-IP-LTM-Gajanan:Active:Disconnected] config # tcpdump -i internal arp

22:48:28.706672 arp who-has 10.2.0.22 tell 10.2.0.1

22:48:28.706687 arp reply 10.2.0.22 is-at 00:0c:29:8b:b8:26 (oui Unknown)

  1. If we want to filter communication based on port number than we need to specify specific port number [e.g. http-80, https – 443].

tcpdump port <port number>

tcpdump src port<port number> or dst port<port number>

In our topology, we have executed this command on internal interface to filter communication based on port number port 80 [http].

Other Features:

  1. Tcpdump command also allow us to save captured packets in folder. We can use below commands

tcpdump -i 1.1 -w gaja.bin

Verify the file using ls command

E.g. to save file in specific folder

tcpdump -i 1.1 –w foldername/filename.pcap

  1. Combining filters with the ‘and’ operator

We can use the “and” operator to filter for a mixture of output.

In our topology,we can verify the communication between our BIG IP Self ip address of internal interface and back end server 10.2.0.22 by specifying their ip address using “and” operator.

  1. Run TCPDUMP from GUI.

We can also run TCPDUMP from BIGIP GUI as shown below.

Conclusion:

We have seen TCPDUMP output on BIG IP device but please note these command will remain as long as we are running these commands on any flavor of Linux or UNIX operating system. I Hope this article help.

Leave a Reply

Your email address will not be published. Required fields are marked *