How to perform a tcpdump on a virtual server that has Snat configured:
Starting in v11.2, there is an awesome undocumented feature that can help. It’s a new “-p” flag to dump on “peer” flows.
Log on to CLI via SSH and start packet capture:
tcpdump -ni 0.0:nnnp -s 0 host client-ip -w /var/tmp/traffic_from_client.pcap
Replacing client-ip with IP of failing client.
ex. from bash
tcpdump -ni 0.0:nnnp -s 0 host 10.100.100.102 -w /var/tmp/traffic_from_client.pcap
Note, with the “-p” flag, you can narrow down by all traffic to that VIP as well if you put
tcpdump -ni 0.0:nnnp -s 0 host <vip-ip> and port <vip-port> -w /var/tmp/traffic_to_vip.pcap
tcpdump -ni 0.0:nnnp -s 0 host 220.127.116.11 and port 443 -w /var/tmp/traffic_to_vip.pcap
Now reproduce Issue with Failing Client:
After reproduction completes, type Ctl-C to stop the packet capture.
Note: Above capture takes advantage of new tcpdump flag “-p” that captures peer sides of the connection which is useful when traffic is snatted on the serverside. It requires a little workaround to reset/clear the filter internally ( running a different capture without the -p flag that won’t match original filter )
tcpdump -ni 0.0:nnn -s 0 port 1
Type Ctl -C to stop the capture immediately after it started.
Voila! No more capturing an insane amount of traffic for that needle in a haystack on the serverside!
The ugly way how we had to do it before:
SOL11555: Gathering data in preparation for a traffic impacting change to the BIG-IP system