Hi - two questions combined.Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic I'm following this tutorial: Decrypt with tcpdump --f5 sslI managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error:C:\Program Files\Wireshark: invalid option -- 'T'C:\Program Files\Wireshark: invalid option -- 'e'I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PCSecond issue:Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys. Will appreciate any advice - It is my second day struggling with the issue

You can decrypt TLS1.3 with iRule method but you have to use the correct iRule as here: https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab12.html#decrypt-ssl-with-irule.

I have now uploaded my sycript to generate the pms file out of the tcpdump file with enabled sslprovider. This script works for all TLS versions and decrypts clientside and serverside traffic. I use this script in my daily job and I hope it could help other people also!https://github.com/JuergenMang/f5-tls-decrypt

One thing to take into account is if you have a OneConnect profile applied to the virtual server the Serverside connections could have established SSL handshakes before you take the capture and not be able to be decrypted. You have to make sure all connections on the serverside and clientside are deleted before starting the capture otherwise you may not be able to decrypt. You should also use a filter that includes the ServerSide nodes specifically and not rely on the :nnnp to gather that data if you are looking to decrypt the serverside traffic.

Hello, I usually use an iRule to log and collect secrets which I'm attaching. This saves info in plain text in LTM file, eventually you can force log rotation and manually bulk-delete all lines from this iRule in "ltm.1" file when you're done.To retrieve info and create pms file, run this from bash shell. sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/sessionsecrets.pms grep -h -o 'CLIENT_RANDOM.*' /var/log/ltm >> /var/tmp/sessionsecrets.pms To import PMS file in wireshark, Edit -> Preferences -> Protocols -> SSL => (Pre)-Master Secret log filename [Browse]

You must use tshark NOT wireshark to Automate Pre Master Secret File Creation.This solution and the solution from CA_Valli does NOT work for TLS 1.3To capture backend traffic also you must use the "-i 0.0:nnnp" option for tcpdump.But it is possible to decrypt TLS 1.3 also, you must extract following fields from the dump:CLIENT_EARLY_TRAFFIC_SECRETCLIENT_HANDSHAKE_TRAFFIC_SECRETSERVER_HANDSHAKE_TRAFFIC_SECRETCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0In my tests tshark fails to dump this correctly. My old plan is to create a GitHub repo to upload my script that extracts all pre master secrets for all tls versions.

Decrypting SSL traffic - PMS and egress

Juergen_Mang
MVP
Jul 20, 2022
I have now uploaded my sycript to generate the pms file out of the tcpdump file with enabled sslprovider. This script works for all TLS versions and decrypts clientside and serverside traffic.
I use this script in my daily job and I hope it could help other people also!
https://github.com/JuergenMang/f5-tls-decrypt
- Ichnafi
  Cirrostratus
  Mar 04, 2024
  Juergen_Mang
  thank you for sharing your script.
  Sorry to bump this old thread.
  For some reason only the client side traffic get's decrypted. Communication between LTM and nodes are still encrypted. I'm using the tcpdump command as mentioned in your github.
  Any idea?
  - David_Larsen
    Employee
    Mar 04, 2024
    One thing to take into account is if you have a OneConnect profile applied to the virtual server the Serverside connections could have established SSL handshakes before you take the capture and not be able to be decrypted. You have to make sure all connections on the serverside and clientside are deleted before starting the capture otherwise you may not be able to decrypt.
    
    You should also use a filter that includes the ServerSide nodes specifically and not rely on the :nnnp to gather that data if you are looking to decrypt the serverside traffic.
CA_Valli
MVP
Jul 20, 2022
Hello, I usually use an iRule to log and collect secrets which I'm attaching. This saves info in plain text in LTM file, eventually you can force log rotation and manually bulk-delete all lines from this iRule in "ltm.1" file when you're done.
To retrieve info and create pms file, run this from bash shell.

sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/sessionsecrets.pms grep -h -o 'CLIENT_RANDOM.*' /var/log/ltm >> /var/tmp/sessionsecrets.pms

To import PMS file in wireshark,
Edit -> Preferences -> Protocols -> SSL => (Pre)-Master Secret log filename [Browse]
irule_ssl_logger.zip0 KB
Juergen_Mang
MVP
Jul 20, 2022
You must use tshark NOT wireshark to Automate Pre Master Secret File Creation.
This solution and the solution from CA_Valli does NOT work for TLS 1.3
To capture backend traffic also you must use the "-i 0.0:nnnp" option for tcpdump.
But it is possible to decrypt TLS 1.3 also, you must extract following fields from the dump:
CLIENT_EARLY_TRAFFIC_SECRET
CLIENT_HANDSHAKE_TRAFFIC_SECRET
SERVER_HANDSHAKE_TRAFFIC_SECRET
CLIENT_TRAFFIC_SECRET_0
SERVER_TRAFFIC_SECRET_0
In my tests tshark fails to dump this correctly. My old plan is to create a GitHub repo to upload my script that extracts all pre master secrets for all tls versions.
- David_Larsen
  Employee
  Jul 20, 2022
  You can decrypt TLS1.3 with iRule method but you have to use the correct iRule as here: https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab12.html#decrypt-ssl-with-irule.
StephanManthey
MVP
Jul 20, 2022
Please check this post:

Knowledge sharing: Troubleshooting/investigating SSL and HTTP issues
David_Larsen
Employee
Jul 20, 2022
You have to use the command line tshark.exe. The other gotcha here is that with Wireshark running you have to have the F5 protocols enabled under Analyze, Enabled Protocols - search for F5 and make sure all the F5 protocols are enabled, otherwise the filters in that commandline will not work properly. Once you enable the protocols in Wireshark GUI then the tshark.exe commandline has them enabled as well.
Leslie_Hubertus
Ret. Employee
Jul 26, 2022
Bartek - lots of answers here - did any of them get you where you needed to go? If yes, please make sure to mark it as an Accepted Solution so other users with your issue can quickly find help and the author gets credit. 🙂
Juergen_Mang
MVP
Mar 04, 2024
This is mostly the case, if:

tcpdump has not captured the initial tls handshake

HTTP/2 is used (the -p does not capture all http/2 streams)

Try to add the backend hosts to the filter and always reopen the browser.

Forum Discussion

Decrypting SSL traffic - PMS and egress

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

K50557518: Decrypt SSL traffic with the SSLKEYLOGFILE...

fellow traffic

Managing Kubernetes Traffic With F5 NGINX: A Practical Guide

Air Gap Egress Inspection with SSL Intercept iApp Template

Lightboard Lessons: FireEye Egress Solutions with BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS