Packet Processing

Open BIG-IP TMSH and TCPDump session

  1. In this task, you will open two SSH sessions to the BIG-IP. One for TMSH commands and the other for tcpdump of the client-side network.

  2. Open PuTTY/terminal window (window1) to BIG-IP from the shortcut bar at the bottom of the jumpbox.

    ssh root@10.1.1.4
password: default.F5demo.com
    Copy to clipboard

  3. Use tcpdump to monitor traffic from the client (10.1.10.199) destined to ftp_vs (10.1.10.100)

    tcpdump -nni client_vlan host 10.1.10.199 and 10.1.10.100
    Copy to clipboard

  4. Open a second PuTTY/terminal window (window2) to BIG-IP and use tmsh to display the connection table.

    ssh root@10.1.1.4
password: default.F5demo.com

tmsh
    Copy to clipboard

  5. At the TMOS prompt (tmos)#

    show sys connection
    Copy to clipboard

  6. Do you see any connections from the jumpbox 10.1.10.199 to 10.1.1.4:22?

    Q1. Why are the ssh management sessions not displayed in connection table?

Establish ftp connection

In this task you will open a command prompt window and establish an FTP session through the ftp_vs virtual server. With the connection remaining open you will view the results in window1 (tcpdump) and window2 (tmsh).

  1. Open a third command/terminal window (window3). Use a Command Prompt from the JumpBox for this step.

    ftp 10.1.10.100
    Copy to clipboard

  2. It may take 15 to 20 seconds for the logon on prompt, just leave it at prompt to hold the connection open.

  3. In window 1 you should see something similar to the tcpdump captured below.

    ../../_images/201ex211t2a-tcpdump.png

    Q1. In the tcpdump above, what is client IP address and port and the server IP address port?

  4. In window2 (tmsh) run the show sys conn again, but strain out the noise of other connections (mirrored and selfIP) by just looking at connections from your jumpbox.

    show sys conn cs-client-addr 10.1.10.199
    Copy to clipboard

  5. The connection table on window2 will show the client-side and server-side connection similar to below:

    ../../_images/201ex211t2b-shsysconn.png

    Q2. What is source ip and port as seen by ftp server in the example above?

    Q3. What happened to the original client IP address and where did 10.1.10.249 come from?

Hint

You may have to review the configuration of ftp_vs to determine the answer to question 3.