Back in April, I released the first of hopefully many tools (Automating Packet Captures on BIG-IP) that will assist those responsible for responding to all those directed "It's the BIG-IP!" and "It's the network!" accusations. In this article, I expand on that work by adding automatic decryption to the toolbelt.
Changes and Enhancements
The previous tool was focused on gathering support files for a case. It requested a virtual server name, a source IP for capturing test traffic, and a case number, which was used in naming the packet capture, sessions keys, and qkview files. For this tool, I stripped out the qkview and case-related steps to focus on just taking a capture against a virtual server. I retained the source IP for test traffic, though I might create another version that captures all sessions as well.
For enhancements, I have two minor changes and one major change. First was to ask for a capture duration so you can specify n number of seconds to run the capture, and second, asking for capture filters that will be applied in addition to the virtual server host IP.
Thirdly, the major change was to use the key files and encrypted packet capture to generate a decrypted version of the packet capture. This requires that wireshark is installed on your system and that that installation also installed the editcap utility.
There is an alternative approach to the iRules that uses a database key and a tcpdump flag to include the keys in the capture itself instead of having to glean them from log statements.
We'll take a look at numbers 1 and 2 in this list in an upcoming live coding session. If you aren't a registered member here on DevCentral, make that happen and watch for the details in the DevCentral Connects group.