net packet-tester security
net packet-tester security(1) BIG-IP TMSH Manual net packet-tester security(1)
NAME
packet-tester - Shows if packet with given parameters passes through data path , which AFM policies and rules
will be applied to the packet, if it will be dropped or not. This is shown for Dos in global and Virtual
server context, IP Intelligence and ACL in global, route domain and listener context. You can only use the
show command with this component.
MODULE
net
SYNTAX
show packet-tester security
dest-addr [IP address]
source-addr [IP address]
dest-port [TCP/UDP port]
source-port [TCP/UDP port]
protocol [protocol]
src-vlan [source vlan name]
check-staged[enable/disable]
trigger-log[enable/disable]
ttl[1 to 255]
syn[SYN TCP FLAG]
ack[ACK TCP FLAG]
rst[RST TCP FLAG]
fin[FIN TCP FLAG]
push[PUSH TCP FLAG]
urg[URG TCP FLAG]
DESCRIPTION
With user provided VLAN, source/destination IP addresses, TCP/UDP ports and protocol, the command will craft a
packet and insert into data path to match these parameters against user configured DOS, ACL rules and IP
intelligence global, route domain, VIP/SelfIP context, and return which policies, rules applied and the final
action taken on packet. Both IPv4 and IPv6 addresses and IP/UDP/TCP/SCTP protocols are supported. Detail
option with provide which specific policy and rule will be applied to such a packet. This command can be used
as a diagnostic tool to trouble-shoot BigIP AFM configuration problem. It provides a faster way to identify
which AFM config will have impact to the specified packet stream.
EXAMPLES
[root@bigip208:Active:Standalone] rpm # tmsh -s -m show net packet-tester security dst-addr 41.41.41.41 dst-
port 80 src-addr 8.8.8.1 src-port 99 protocol udp src-vlan /Common/internal detail
*************************
Packet Tester Data:
*************************
Source IP/Port:8.8.8.1/99 Src Vlan /Common/internal
Destination IP/Port:41.41.41.41/80
Packet Protocol: udp
Packet Trace Option: Check Staged:Disable, Trigger Log:Disable
Stage:Device-DoS
Result: Allow, No Anomaly
Other Information
Dos Vector: UDP flood
Dos White list: No
Log Config:Disable
Stage:Device-IP Intelligence
Result: No Policy
Other Information
Policy Name: unset
Source Hit Type: No Match
Source Category: unset
Drop Source:No
Destination Hit Type: No Match
Destination Category: unset
Drop Destination:No
Log Config:Disable
Stage:Device-Access Control
Result: Allow
Other Information
Policy Name: /Common/policy1
Policy Type: Enforced
Rule Name: packet_test_udp_rule
Source FQDN: No-lookup
Destination FQDN: No-lookup
Source Geo: No-lookup
Dest Geo: No-lookup
iRule:unset
Log Config:Disable
Stage:Route Domain-IP Intelligence (/Common/0)
Result: No Policy
Other Information
Policy Name: unset
Source Hit Type: No Match
Source Category: unset
Drop Source:No
Destination Hit Type: No Match
Destination Category: unset
Drop Destination:No
Log Config:Disable
Stage:Route Domain-Access Control (/Common/0)
Result: Allow
Other Information
Policy Name: /Common/policy1
Policy Type: Enforced
Rule Name: packet_test_udp_rule
Source FQDN: No-lookup
Destination FQDN: No-lookup
Source Geo: No-lookup
Destination Geo: No-lookup
iRule:unset
Log Config:Disable
Stage:Listener-DoS (/Common/packet_test_catchall)
Result: No Policy
Other Information
Dos Profile Name: unset
Dos Vector: unset
Dos White list: No
Log Config:Disable
Stage:Listener-IP Intelligence (/Common/packet_test_catchall)
Result: No Policy
Other Information
Policy Name: unset
Source Hit Type: No Match
Source Category: unset
Drop Source:No
Destination Hit Type: No Match
Destination Category: unset
Drop Destination:No
Log Config:Disable
Stage:Listener-Access Control (/Common/packet_test_catchall)
Result: Allow
Other Information
Policy Name: /Common/policy1
Policy Type: Enforced
Rule Name: packet_test_udp_rule
Source FQDN: No-lookup
Destination FQDN: No-lookup
Source Geo: No-lookup
Destination Geo: No-lookup
iRule:unset
Log Config:Disable
Final Result
Source IP/Port:8.8.8.1/99 Src Vlan /Common/internal
Destination IP/Port:41.41.41.41/80
Packet Protocol: udp
Packet Trace Option: Check Staged:Disable, Trigger Log:Disable
Final Action : Allow
Total records returned: 1
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.
BIG-IP 2016-09-13 net packet-tester security(1)