Original Publication Date: 06/12/2012
Updated Date: 07/16/2014
You should consider using this procedure under the following condition:
TMM information can be helpful in advanced troubleshooting situations, such as tracking connection flows with multiple TMM instances on Clustered Multiprocessing (CMP) platforms.
You must meet the following prerequisites to use this procedure:
Note: This article covers only the options for the tcpdump utility that are relevant to collecting internal TMM information. For general assistance with tcpdump, refer to the Supplemental Information section in this document.
The F5 implementation of the tcpdump utility can add internal TMM information to a tcpdump capture. In the course of a support case, an F5 Technical Support engineer may ask you to capture a tcpdump where this extra information is present. Or, you may want to collect the data yourself for analysis in a tool, such as Wireshark.
The enhanced tcpdump utility can capture extra details, such as which virtual server and which TMM is handling a specific sample of traffic. When reviewing the tcpdump output file in Wireshark, this extra information appears under the Ethernet II section in the Packet Details panel.
Note: The procedures in this article detail only how to collect the additional information using the tcpdump utility installed on the BIG-IP system. For more information about loading the tcpdump files and locating the packet details, refer to your Wireshark product manual.
Capturing extended TMM data with tcpdump
Impact of procedure: Refer to SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP system.
To capture internal TMM information, a noise amplitude operator is appended to the interface argument for a given tcpdump command, as shown in the following syntax:
tcpdump -i <interface>:<noise amplitude>
The noise amplitude defines the level of TMM details included in the packet capture. The following noise levels may be captured:
F5 recommends always capturing the maximum noise level with the nnn option.
The noise levels include the following details:
Packet from client to BIG-IP 10.1.1.1:1234 -> 10.1.1.3:80
flow id: 5678
peer id: 4356
Peer remote address: 10.2.1.5
Peer remote port: 80
Peer local address: 10.2.1.3
Peer local port: 1234
Packet from server to BIG-IP 10.2.1.3:1234-> 10.2.1.5:80
Flow id: 4356
Peer id: 5678
Peer remote address: 10.1.1.1
Peer remote port: 1234
Peer local address: 10.1.1.3
Peer local port: 80
Capturing traffic with TMM information for use with Wireshark
tcpdump -s0 -ni <vlan>:<noiseamplitude> -w <path to output file> <filter options>For example:
tcpdump -s0 -ni internal:nnn -w /var/tmp/my_output_file.dmp
Note: A DevCentral login is required to access this content.
f5ethtrailer.slot == 1 and f5ethtrailer.tmm == 0A list of all F5 filters is shown in Wireshark within the Filter Expression window.
Capturing traffic with TMM information for a specific traffic flow
Beginning in BIG-IP 11.2.0, you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0:
tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1
Once tcpdump identifies a related flow, the flow is marked in TMM, and every subsequent packet in the flow (on both sides of the BIG-IP system) is written to the capture file.