Original Publication Date: 06/12/2012
Updated Date: 06/17/2016
You should consider using this procedure under the following condition:
TMM information can be helpful in advanced troubleshooting situations, such as tracking connection flows with multiple TMM instances on Clustered Multiprocessing (CMP) platforms.
The F5 implementation of the tcpdump utility can add internal TMM information to a tcpdump capture. In the course of a support case, an F5 Technical Support engineer may ask you to capture a tcpdump where this extra information is present, or you may want to collect the data yourself for analysis in a tool such as Wireshark.
The enhanced tcpdump utility can capture extra details, such as what virtual server and what TMM is handling a specific sample of traffic. When reviewing the tcpdump output file in Wireshark, this extra information appears under the Ethernet II section in the Packet Details panel.
Note: The procedures in this article detail how to collect the additional information using only the tcpdump utility installed on the BIG-IP system. For information about loading the tcpdump files and locating the packet details, refer to your Wireshark product manual.
You must meet the following prerequisites to use this procedure:
Note: This article covers only the options for the tcpdump utility that are relevant to collecting internal TMM information. For general assistance with tcpdump, refer to the Supplemental Information section in this document.
Capturing extended TMM data with tcpdump
Impact of procedure: Refer to SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP system.
To capture internal TMM information, a noise amplitude operator is appended to the interface argument for a given tcpdump command, as shown in the following syntax:
tcpdump -i <interface>:<noise amplitude>
The noise amplitude defines the level of TMM details included in the packet capture. The following noise levels may be captured:
F5 recommends that you always capture the maximum noise level with the nnn option.
The noise levels include the following details:
Packet from client to BIG-IP 10.1.1.1:1234 -> 10.1.1.3:80
flow id: 5678
peer id: 4356
Peer remote address: 10.2.1.5
Peer remote port: 80
Peer local address: 10.2.1.3
Peer local port: 1234
Packet from server to BIG-IP 10.2.1.3:1234-> 10.2.1.5:80
Flow id: 4356
Peer id: 5678
Peer remote address: 10.1.1.1
Peer remote port: 1234
Peer local address: 10.1.1.3
Peer local port: 80
Capturing traffic with TMM information for use with Wireshark
tcpdump -s0 -ni <vlan>:<noiseamplitude> -w <path to output file> <filter options>For example:
tcpdump -s0 -ni internal:nnn -w /var/tmp/my_output_file.dmp
Note: A DevCentral login is required to access this content.
f5ethtrailer.slot == 1 and f5ethtrailer.tmm == 0A list of all F5 filters is shown in Wireshark within the Filter Expression window.
Capturing traffic with TMM information for a specific traffic flow
Beginning in BIG-IP 11.2.0, you can use the p interface modifier with the n modifier to capture traffic with TMM information for a specific flow, and its related peer flow. The p modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end, even when the configuration uses a Secure Network Address Translation (SNAT) or OneConnect. For example, the following command searches for traffic to or from client 10.0.0.1 on interface 0.0:
tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp host 10.0.0.1
Once tcpdump identifies a related flow, the flow is marked in TMM, and every subsequent packet in the flow (on both sides of the BIG-IP system) is written to the capture file.
Important: This modifier produces large amounts of data and can cause significant resource utilization. This additional resource demand may cause poor performance or a system failure if the BIG-IP system is at high resource utilization. Use this modifier only with very specific filters.
Note: This modifier will continue to produce flow information for the life of the connection. Subsequent tcpdump captures will reveal flow information from previous tcpdump captures using the :p modifier if the connection is still active. To clear flow information from previous use, run the tcpdump command without the :p modifier using a filter that matches no information in the flow and ensure some traffic has been received by the BIG-IP system for the flow.
Capturing traffic without the F5-specific information included in the packet capture
To gather a tcpdump that contains the entire packet, but does not contain any F5-related noise, you can specify the snaplen length to be less than 65535. F5 recommends that you set the snaplen length value to 65534 to ensure that the entire packet is captured, excluding the F5-specific slot and TMM instance information.
Following is an example packet capture including the F5 slot and TMM instance information:
tcpdump -ni 0.0 -X -s 0 port 4353
04:18:45.607920 IP 10.12.20.201.33981 > 10.12.20.202.f5-iquery: P 91:165(74) ack 229 win 3061 <nop,nop,timestamp 3527869000 745400634> out slot1/tmm0 lis=
Following is example syntax that sets the snaplen to 65534:
tcpdump -ni 0.0 -X -s 65534 <vlan>:<noiseamplitude> -w <path to output file> <filter options>
tcpdump -s 65534 -ni internal:nnn -w /var/tmp/my_output_file.dmp