Forum Discussion
CirrusIdentify a traffic capture without decryption
Hi,
I am trying to troubleshoot some packet loss and for this purpose I am tracing client-side and server-side traffic, both encrypted with SSL client and server profile. Is there any way I can follow the client-F5-server flow without decrypting? I am using :nnnp option and F5 wireshark plugin.
Thanks!
Hello Livius
You will still be able to investigate the traffic but the payload will be encrypted. When capturing this traffic you can still see:
- Frame data (encapsulation type, frame number, arrival time, frame length etc.)
- MAC addresses
- VLAN tags
- IP header (source IP, source port, destination IP, destination port, sequence number etc.)
- SSL handshake
For some troubleshooting, that information can be enough. For instance when troubleshooting SSL cipher mismatch issues.
But if you are troubleshooting problems which requires you to view into the application payload, then you will need to decrypt the traffic.
It isn't too tough to pull off but it requires you to configure a new Client SSL Profile with certain settings. Then you will create a pre-master secret (PMS) which you import into Wireshark. With some cipher suites you will not be able to generate a PMS. That is why you need to create a new Client SSL profile with a new cipher suite along with some other settings. This guide is really nice which I have used before:
K10209: Overview of packet tracing with the ssldump utility
If you do not want to change the Client SSL Profile for production traffic, you can configure an iRule to change to the new Client SSL Profile based on your source IP. That way when you're troubleshooting from your own computer you will be able to decrypt the traffic.
Here is an example of what the iRule would look like:
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] eq "1.1.1.1"]} { SSL::profile host1_profile } else { SSL::profile ssl_profile2 } }I hope this helps! Please let me know if you have any further questions 🙂
