Decrypting BIG-IP Packet Captures Automatically

Back in April, I released the first of hopefully many tools (Automating Packet Captures on BIG-IP) that will assist those responsible for responding to all those directed "It's the BIG-IP!" and "It...
Published Jan 04, 2023
Version 1.0
application delivery
devops
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
Juergen_Mang's avatar
Juergen_Mang
Icon for MVP rankMVP
Jan 17, 2023

> Nice! The system variable sys db tcpdump.sslprovider  is great feature for the new 15.x versions and above

Right and with my tool ahred in last july you can decrypt tls 1.3 also. There is no requirement for the iRule anymore.

I am wondering if my tool can be integrated and if I can use editcap to inject the sessions secrets as done here.

I will try it and post my findings. For reference: https://community.f5.com/t5/codeshare/decrypting-tls-with-the-tcpdump-sslprovider/ta-p/298680

Edit: Unfortunately the editcap tool installed on the f5 has no "--inject-secrets" option, but if you use it on your local pc with wireshark installed, it works also with the pms file generated by my tool.