I recently was directed towards a wonderful plugin for Wireshark that helps with troubleshooting F5 TCPDUMPS. With my first F5 exam coming up very shortly, I figured I’d take a break from studying and do a write-up on this helpful addition. I will not be covering installation of this plugin, that can be find on the DevCentral page for the plugin (requires login).
How the plugin works:
The plugin itself utilizes “noise” information that can be included by the F5 TMM system during a TCPDUMP. This extra noise information is primarily used by F5 support in troubleshooting, it provides great value when attempting to trouble shoot problems on your own. The plugin within Wireshark is able to automatically dissect the noise included and provide it as an additional section within Wireshark allowing for easy use of the new information.
Figure-1: Frame Detail Pane
As can bee seen, there are three new panes provided specifically for F5; Low Details, Medium Details, and High Details.
Below is the explanation of the three levels, this information was pulled directly from an F5 Support Document and I have included screenshots to show each level.
The noise levels include the following details:
- Ingress: A flag indicating whether TMM is sending or receiving the packet. A zero (0) indicates that TMM is sending the packet, while a non-zero number indicates that TMM is receiving the packet.
- Slot: The chassis slot number of the TMM that is handling the packet.
- TMM: The number of the TMM that is handling the packet.
- VIP: The name of the virtual server that is handling the connection. Prior to BIG-IP 11.2.0, the name was limited to 16 characters. In BIG-IP 11.2.0 and later, the name is limited to 96 characters.
Figure-2: Low Noise
- Flow ID: A number identifying a flow within TMM. The same flow ID can be used for different flows in different TMMs. Also, the same flow ID can be re-used for a different flow within the same TMM at a different time.
- Peer ID: A number identifying the peer flow within TMM. Note that the same peer ID can be used for different flows in different TMMs. Also, the same peer ID can be re-used for a different flow within the same TMM at a different time.
- Reset Cause: In BIG-IP 11.2.0 and later, the reset cause (if available) is included for TCP reset packets. For more information, refer to SOL13223: Configuring the BIG-IP system to log TCP RST packets.
- Connflow Flags: Diagnostic information used by F5 Technical Support.
- Flow Type: Diagnostic information used by F5 Technical Support.
- High Availability Unit: Diagnostic information used by F5 Technical Support.
- Ingress Slot: Diagnostic information used by F5 Technical Support.
- Ingress Port: Diagnostic information used by F5 Technical Support.
Figure-3: Medium Noise
- Peer IP Protocol: The IP protocol of the peer flow. This field is not populated prior to BIG-IP 11.0.0.
- Peer VLAN: The VLAN ID number that is associated with the peer flow.
- Peer Remote Address: The IP address of the host on the far end of the peer flow.
- Peer Local Address: The IP address used by TMM for the peer flow.
- Peer Remote Port: The protocol port of the host on the far end of the peer flow.
- Peer Local Port: The protocol port used by TMM for the peer flow.
Figure-4: High Noise
While not all of the information is useful, there are a few major parts I’d like to point out that I feel would be a great help when troubleshooting.
- Ingress: This allows for a quick way to determine if the packet you are seeing is inbound to the BIG-IP system or outbound
- Slot: In larger deployments, utilizing chassis based Viprons, it is sometimes helpful to know which blade is handling the traffic
- VIP: This allows you to easily determine if the VIP handling the traffic, is the one you’d except
- Reset Cause: While the only portion of Medium Details I’ve used so far, being able to quickly determine why the RST occurred can help take time off of how long services are down during a troubleshooting exercise
- Peer IP Protocol: While not always necessary, this can be helpful for troubleshooting non TCP/UDP traffic (such as VPN)
- Peer VLAN: This is the destination VLAN (VLAN where servers usually sit)
- Peer Remote Address: This is the destination address
- Peer Local Address: This is the source address
- Peer Remote Port: This is the destination port
- Peer Local Port: This is the source port
Creating TCPDUMPS for the plugin:
Disclaimer: These steps are merely to demonstrate how to include the required “noise” in your TCPDUMP, as always please exercise caution when using new commands / features for the first time. I recommend testing in a lab/non-production environment first, even though it seems nothing bad should happen surprises happen (and sometimes they aren’t good surprises).
To use the plugin, you simply must state the amplitude of noise you desire within your TCPDUMP command on your interface argument
tcpdump -i <interface>:<noise amplitude>
The following noise arguments are possible:
- n: Low details
- nn: Low and medium details
- nnn: Low, medium, and high details
An example of a TCPDUMP with Low, Medium, and High Details:
tcpdump -s0 -ni ExternalDMZ:nnn -w /var/tmp/ExtendedF5.pcap
For the extra information to be included, you cannot pull the trace from a physical interface, it must be from a VLAN.
Using the Plugin:
After the plugin is installed, and you have captured your TCPDUMP its time to open up Wireshark!
Figure-5: Wireshark with plugin installed
Immediately you can see that the additional information is being included in the capture without even having to do anything.
Picking a frame allows you to drill down into more information including the three new levels for F5.
In addition, its now possible to trace flows for F5 IP, TCP, and UDP
Figure-6: Additional Analyze options
That’s the basic overview of the plugin provided by the wonderful F5 DevCentral community. There is other functionality in the plugin but I have not had a chance to look into, I may do another post with the additional functionality at a later time…
F5 Wireshark Plugin (Requires login) [Download plugin, Instructions, additional information]
SOL13637: Capturing Internal TMM Information with TCPDUMP [Additional Information]