i want capture traffic after F5 (bigip) to see unencrypted traffic, but if i do it i will see the source IP is F5 IP address.
how this issue will be solved to see the original source IP?
appreciate your support.
You may want to TAP and capture that traffic first to see what data is available. There may be an x-forwarded-for or similar header that would contain that originating IP address. However, that would be in a different meta key than ip.src or ip.dst.
You may also want to consult F5 for various configuration options that are available to get you the data you need.
Packet decoders simply parse out the traffic as it's presented to it. If the data is there, the decoders can typically extract it as meta either natively or with some custom parsing. Obviously, it would need the data to be there first.
thank you christopher, i will do some tests by capturing data after F5
We ran into a similar issue but have solved it. The http lua parser has an options file that permits you to store the original IP from X-forwarded-for headers in either the orig_ip meta field (as text) or the alias.ip field (as IPv4). The problem with the alias.ip field is that any IPs resolved from alias.host values in the same session will be stored in alias.ip, so it's difficult to specify which alias.ip value has what role.
We wrote custom lua parsers to extract x-forwarded-for, client_ip, and cnp-true-clientip values and store them in a custom meta key (IPv4 format) called client.ip. We wrote a similar parser to extract the x-originating-ip from smtp traffic since that value was also getting added to the much crowded alias.ip field.
Let me know if you'd like me to share any of our parsers.
thanks for your reply, as i understood from you. we can configure big IP to add x-forward the original IP. if this is the situation i appreciate your offer for sharing custom parser to make a test on my network.
Retrieving data ...