F5 Networks Wireshark Plugin

Wireshark is a free and open source software utility for analyzing network traffic. IT professionals consider Wireshark a very popular tool for analysis, software and communication protocol development, as well as education. This network utility can be used on various platforms such as Linux, macOS, BSD, Solaris, other Unix-like operating systems, and Microsoft Windows. Besides the GUI-based Wireshark, users can access a terminal-based version of this utility called TShark.

Given the frequency of use and the need to analyze and troubleshoot system problems, F5 created its own Wireshark Plugin. This plugin provides insight into various additional diagnostic data that can be collected by capturing traffic with the tcpdump tool on F5 devices. Such information is mostly used by the F5 support team when solving various problems reported by customers, but can be of great help to experienced IT professionals during troubleshooting and analysis before contacting the F5 support team.

Collecting additional traffic data

Each F5 system has a specific number of physical interfaces depending on the platform type. One of these physical interfaces is used for traffic management. All other interfaces are called TMM interfaces, and F5 uses them for sending or receiving application traffic, i.e. traffic primarily intended for load balancing and additional processing.

The tcpdump tool can be used to capture traffic passing through F5 systems over respective physical interfaces. F5 Wireshark Plugin enables you to collect traffic data as it passes through the internal TMM interfaces, and provides a more detailed traffic analysis. Apart from analyzing issues with production traffic, this can be very useful in various pilot testing and initial device deployments to avoid all potential traffic processing problems after placing the device in production.

In order to take full advantage of this plugin, we must know how to properly use the command for capturing packets. For example, this command will be similar to the following:

tcpdump -s0 -ni vlan5:nnn -w/var/tmp/filename.pcap

It is imperative to include the ‘-s0’ flag which allows you to capture the entire package and additional TMM information. In addition, it is necessary to define the level of additional information we want to collect on the interface where traffic is being captured by using the ‘nnn’ flags as they represent the level of additional information. Refer to the following:

  • Low Details (:n) – The low details include ingress or egress flow direction, the slot and TMM handling the packet, and the name of the virtual server, if applicable.
  • Medium Details (:nn) – Includes all of the above plus flow and peer IDs, and the F5 reset (TCP TST) cause, if it exists.
  • High Details (:nnn) – Includes all of the above plus all the related peer data, protocol, VLAN associated with the flow, and local and remote IP addresses and ports.

The following image shows captured traffic as it is displayed in Wireshark using the F5 Plugin. One difference from displaying traffic without the F5 Plugin is that the INFO frame shows information about the platform and related software, as well as the exact command used to capture traffic.

The picture shows the package entering the virtual server and being processed on the same server. To understand this additional information, it is important to distinguish between the following:

  • Peer – term used to define and describe the connection,
  • Connection – consists of two flows,
  • Flow – each flow is the peer of the other flow in a connection.

When analyzing traffic there is often an issue with connecting front-end and back-end communication, especially in situations where F5 is not setup as a default gateway for back-end servers, so-called one-armed mode. We can use flow ID in these situations since it connects front-end and back-end communication. Flow ID can also be used as a filter, as shown in the following figure, and display the entire communication for these IP addresses. This filter can be also be configured manually.

It is important to note that additional information can only be seen if the interface on which traffic is captured is one of the VLAN interfaces. When capturing traffic on physical interfaces, additional information is not included in the traffic snapshot since it displays traffic before or after processing on TMM interfaces, but not while passing through TMM interfaces. Also, quantity of additional information depends on the version of TMOS software installed on the F5 device.

Wireshark Plugin and additional information are available on DevCentral website, accessible with a valid user account: https://devcentral.f5.com/d/wireshark-plugin.

For more information or advice, please contact us.