Hi - two questions combined.
Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic
I'm following this tutorial: Decrypt with tcpdump --f5 ssl
I managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error:
C:\Program Files\Wireshark: invalid option -- 'T'
C:\Program Files\Wireshark: invalid option -- 'e'
I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PC
Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys.
Will appreciate any advice - It is my second day struggling with the issue
Hello, I usually use an iRule to log and collect secrets which I'm attaching. This saves info in plain text in LTM file, eventually you can force log rotation and manually bulk-delete all lines from this iRule in "ltm.1" file when you're done.
To retrieve info and create pms file, run this from bash shell.
sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/sessionsecrets.pms grep -h -o 'CLIENT_RANDOM.*' /var/log/ltm >> /var/tmp/sessionsecrets.pms
To import PMS file in wireshark,
Edit -> Preferences -> Protocols -> SSL => (Pre)-Master Secret log filename [Browse]
You must use tshark NOT wireshark to Automate Pre Master Secret File Creation.
This solution and the solution from CA_Valli does NOT work for TLS 1.3
To capture backend traffic also you must use the "-i 0.0:nnnp" option for tcpdump.
But it is possible to decrypt TLS 1.3 also, you must extract following fields from the dump:
In my tests tshark fails to dump this correctly. My old plan is to create a GitHub repo to upload my script that extracts all pre master secrets for all tls versions.
You have to use the command line tshark.exe. The other gotcha here is that with Wireshark running you have to have the F5 protocols enabled under Analyze, Enabled Protocols - search for F5 and make sure all the F5 protocols are enabled, otherwise the filters in that commandline will not work properly. Once you enable the protocols in Wireshark GUI then the tshark.exe commandline has them enabled as well.
I have now uploaded my sycript to generate the pms file out of the tcpdump file with enabled sslprovider. This script works for all TLS versions and decrypts clientside and serverside traffic.
I use this script in my daily job and I hope it could help other people also!