Forum Discussion
Wireshark not displaying application data for tcpdump using ssldump
Hello everyone
I have been testing SSLdump and I have ran into what seems to be a Wireshark problem but I'm not sure.
I have added a custom Client SSL Profile to exclude Diffie-Hellman algorithms using the following Cipher Option:
NATIVE:!DH:!EDH:!DHE:!ADH:!ECDHE
I have also adjusted the Cache Size to 0 sessions and Cache Timeout to 1 seconds so that we do not cache anything.
During the SSL Handshake we select the TLS_RSA_WITH_AES_256_CBC_SHA256 and when running the SSLdump command I get entries in the PMS log AND I can see decrypted data.
When I launch Wireshark and check the tcpdump + load the PMS I do not see any difference at all. When I check the follow SSL Stream I can see the decrypted data that I saw in the SSLdump.
But the thing is I want to see the packets in the packet list so I can follow the SYN/ACK packets with the GET requests. But I do not see any GET requests at all.
I noticed that when I have not added the PMS key I do not have any packet that states "Application Data" and I believe here is the problem. Here is how it looks when reviewing an F5 technician doing it:
No PMS:
With PMS:
Here is how my output looks (No PMS):
The output I can see in my ssldump is this:
1 10 1476792858.7953 (0.0006) C>SV3.3(336) application_data
---------------------------------------------------------------
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: sv-SE
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: [Hidden]
Connection: Keep-Alive
Cache-Control: no-cache
So there are application data but Wireshark does not want to display it in the Packet List.
I'm currently running: * Wireshark - Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12) * F5: 12.1.0 Build: 0.0.1434
I'm running the exact same tcpdump command as the F5 engineer.
You guys got any idea on how to display the packets in the Packet List?
- jgranieriNimbostratus
if you are trying to use the private key in wireshark and then decrypt the conversation it will not work if you are using DH keys.
with DH the session key is never be transmitted so you won't be able to intercept it and use it for decryption in wireshark
- james_lee_31100Nimbostratus
You should check tcp handshake at the end, it seems the conversation end normally, otherwise you will get reset after change cipher spec. I would suggest run wireshark on another computer and test it out. at this stage, you don't need f5 plugin.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com