The connection table is a great way to find any6 entries to see the who/what is connecting to a f5. It will also show or demonstrate connections that are not decided on and show you what TMM has that connection.
e.g ( a typical f5 conn output )
show sys connection | grep any6
10.75.2.69:56138 126.96.36.199:443 any6.any any6.any tcp 48 (tmm: 1) none
188.8.131.52:61190 184.108.40.206:443 any6.any any6.any tcp 1 (tmm: 1) none
220.127.116.11:53284 18.104.22.168:443 any6.any any6.any tcp 0 (tmm: 1) none
22.214.171.124:9744 126.96.36.199:443 any6.any any6.any tcp 59 (tmm: 1) none
188.8.131.52:62514 184.108.40.206:443 any6.any any6.any tcp 5 (tmm: 1) none
220.127.116.11:61928 18.104.22.168:443 any6.any any6.any tcp 0 (tmm: 1) none
show the above output shows numerous connection lated as "any6.any" and they are all TCP.
You could get creative and do a geoip lookup by using maxmind or unix geoip-bin and look for location and client types for trending.
ISP name, Continnet, Country,etc...
So armed with geoip database details you could now investigate as security analyst if these address are repetitional bad or known bot or C&Cs,etc...
Keep in mind, connections that are no authenticated or have a final disposition could trigger a any6.any connection state and it's not always a sign of something "bad"
NOTE: These connections are also show as no handler in the show sys tmp-traffic details if they are actually drop.
With in the APM sessions, until a user has started the authentication process, you will not known the "username" for obvious reasons.
examples ( unknown username and geo & no geo-info )
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=