Forum Discussion
Bartek
Cirrus
CirrusDecrypting SSL traffic - PMS and egress
Hi - two questions combined. Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic I'm following this tutorial: Decrypt with tcpdump --f5 ssl I ma...
Juergen_Mang
MVP
MVPI have now uploaded my sycript to generate the pms file out of the tcpdump file with enabled sslprovider. This script works for all TLS versions and decrypts clientside and serverside traffic.
I use this script in my daily job and I hope it could help other people also!
IchnafiCirrostratus
thank you for sharing your script.
Sorry to bump this old thread.
For some reason only the client side traffic get's decrypted. Communication between LTM and nodes are still encrypted. I'm using the tcpdump command as mentioned in your github.
Any idea?
David_LarsenEmployee
One thing to take into account is if you have a OneConnect profile applied to the virtual server the Serverside connections could have established SSL handshakes before you take the capture and not be able to be decrypted. You have to make sure all connections on the serverside and clientside are deleted before starting the capture otherwise you may not be able to decrypt.
You should also use a filter that includes the ServerSide nodes specifically and not rely on the :nnnp to gather that data if you are looking to decrypt the serverside traffic.
- Ichnafi
Hi,
thank you for your input.
Sadly it does not work.
- did check if any tcp connection exists for this VS
- used a fresh browser
- no oneconnect profile
- no http/2
- added node IPs to tcpdump filter
- one can see complete TCP and SSL handshake between LTM and node in the capture
The LTM still uses a rather old version (15.1), so maybe it's an issue there?