Forum Discussion
decrypted tcpdump capture without using an iRule using tshark
Hi Folks , I have used this Article : https://my.f5.com/manage/s/article/K31793632 Everything works well , and I could decrypt my captures but with using the manual way of collecting the Key l...
i resorted to automating the whole thing: https://github.com/f5-rahm/pcap_utils/blob/main/TLSv1_3_captures.py
Hi Mohammed,
Have you tried before using Wireshark with SSLDUMP. If not its a very good to go through these articles to get a glimpse of SSLDUMP with Wireshark
https://my.f5.com/manage/s/article/K10209
https://community.f5.com/t5/technical-articles/troubleshooting-tls-problems-with-ssldump/ta-p/277118
F5's tcpdump option can decrypt PCAP data in a packet capture. The data can be imported into Wireshark to decrypt the data within each packet.
To use the new functionality, add
--f5 ssl to the tcpdump flags. This removes the
requirement for an iRule to create a Pre Master Secret file.
To run ssldump using the
-M option to create a pre-master secret key log file, you can:
- Log in to the BIG-IP command line
- Perform the following procedure
SSLDUMP on the cli of the F5 can also decrypt traffic fine with the private key, for all ports.
Here is a very wonderful && one of my favorite Article with all the step by step guide
https://community.f5.com/t5/technical-articles/decrypting-tls-traffic-on-big-ip/ta-p/280936
otherwise you can
Automate Pre Master Secret File Creation
https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab10.html
You can also Search for a keyword SSLDUMP in Devcentral Articles for many more such wonderful articles and discussions
HTH
🙏