Forum Discussion
decrypted tcpdump capture without using an iRule using tshark
Hi Folks ,
I have used this Article : https://my.f5.com/manage/s/article/K31793632
Everything works well , and I could decrypt my captures but with using the manual way of collecting the Key log pms.
but this way will take too much to export each key log for each stream so if I took two samples from Key log entries in two different ssl streams and create the pms file , I see that not whole capture be decrypted >>> that's expected , because I haven't exported all key log entries in F5 TLS.
In this Article there is an automated way to export Key log entries with executing one command using tshark utility.
Unfortunately this tool doesn't work with bigip bash to export Key Log , it needs others UNIX environments.
Are there any direct method to export these Key log entries or using tshark utility but not with any Linux/UNIX environments.
Thanks
i resorted to automating the whole thing: https://github.com/f5-rahm/pcap_utils/blob/main/TLSv1_3_captures.py
CA_ValliMVP
If you need an on/off trigger for decrypted traffic, I still prefer using the iRule way instead of changing DB keys, so it just logs SSL info for the specific aplication traffic I'm troubleshooting and I can turn it off when I'm done.
thanks CA_Valli ,
yes I prefer Decryption irule too.
but I aimed to find a replacement and I found the DB method but it needs some facilities to obtain the PMS Key.- JRahm
Admin
i resorted to automating the whole thing: https://github.com/f5-rahm/pcap_utils/blob/main/TLSv1_3_captures.py
Hi Mohammed,
Have you tried before using Wireshark with SSLDUMP. If not its a very good to go through these articles to get a glimpse of SSLDUMP with Wireshark
https://my.f5.com/manage/s/article/K10209
https://community.f5.com/t5/technical-articles/troubleshooting-tls-problems-with-ssldump/ta-p/277118
F5's tcpdump option can decrypt PCAP data in a packet capture. The data can be imported into Wireshark to decrypt the data within each packet.To use the new functionality, add--f5 ssl to the tcpdump flags. This removes therequirement for an iRule to create a Pre Master Secret file.To run ssldump using the-M option to create a pre-master secret key log file, you can:- Log in to the BIG-IP command line
- Perform the following procedure
SSLDUMP on the cli of the F5 can also decrypt traffic fine with the private key, for all ports.
Here is a very wonderful && one of my favorite Article with all the step by step guide
https://community.f5.com/t5/technical-articles/decrypting-tls-traffic-on-big-ip/ta-p/280936
otherwise you can
Automate Pre Master Secret File Creation
https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab10.html
You can also Search for a keyword SSLDUMP in Devcentral Articles for many more such wonderful articles and discussions
HTH
🙏
