In this post we are going to look how to use F5 Wireshark Plugin to troubleshoot networking issues on BigIP LTM.
- Download the and install the plugin in your Wireshark
Once you restart wireshark go to menu Help – About Wireshark, Plugins tab. You should be able to see the plugin listed there if properly installed.
- The plugin is useful only if you take a capture on LTM with ‘noise’ information.
tcpdump -w /var/tmp/capture.pcap -s0 -i _interface_:nnn
where the _interface_ can be:
- 1.1 – example of an physical interface
- dmz_vlan – a name you gave to your vlan when created
- 0.0 – is the equivalent of ‘any’ interface what means capture on all interfaces and all vlans
tcpdump -s0 -nn -w /var/tmp/test1-$(date +%s).pcap -i 0.0:nnn ‘(host _ip_ and port _port_ ) or arp or not ip’
- Open the capture in wireshark as normal
- The most useful part of using this plugin is that you can quickly and easily find the client and server site traffic in the capture (It can be a challenging when you have multiple tcp streams and OneConnect profile):
- Find a single packet of the flow you are interested in (search for VIP or client ip for example).
- Find the “Flow ID” from the F5 Ethernet trailer (see the picture above for example).
- Click with right mouse taste on the Flow ID field and select “Prepare as Filter”.
- In the Filter box (on top ) it will pre-populate the syntax for you.
- Copy the hex value and delete the ‘.flowid == hex’ part and start typing ‘.’ (dot).
- It will mediately give you a list of possible options, select anyflowid and copy the hex back as it was originally. Example:
- Press Apply button