I managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error:
I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PC
Second issue:
Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys.
Will appreciate any advice - It is my second day struggling with the issue
Hello, I usually use an iRule to log and collect secrets which I'm attaching. This saves info in plain text in LTM file, eventually you can force log rotation and manually bulk-delete all lines from this iRule in "ltm.1" file when you're done.
To retrieve info and create pms file, run this from bash shell.
You must use tshark NOT wireshark to Automate Pre Master Secret File Creation.
This solution and the solution from CA_Valli does NOT work for TLS 1.3
To capture backend traffic also you must use the "-i 0.0:nnnp" option for tcpdump.
But it is possible to decrypt TLS 1.3 also, you must extract following fields from the dump:
CLIENT_EARLY_TRAFFIC_SECRET
CLIENT_HANDSHAKE_TRAFFIC_SECRET
SERVER_HANDSHAKE_TRAFFIC_SECRET
CLIENT_TRAFFIC_SECRET_0
SERVER_TRAFFIC_SECRET_0
In my tests tshark fails to dump this correctly. My old plan is to create a GitHub repo to upload my script that extracts all pre master secrets for all tls versions.
You have to use the command line tshark.exe. The other gotcha here is that with Wireshark running you have to have the F5 protocols enabled under Analyze, Enabled Protocols - search for F5 and make sure all the F5 protocols are enabled, otherwise the filters in that commandline will not work properly. Once you enable the protocols in Wireshark GUI then the tshark.exe commandline has them enabled as well.
I have now uploaded my sycript to generate the pms file out of the tcpdump file with enabled sslprovider. This script works for all TLS versions and decrypts clientside and serverside traffic.
I use this script in my daily job and I hope it could help other people also!
@Bartek - lots of answers here - did any of them get you where you needed to go? If yes, please make sure to mark it as an Accepted Solution so other users with your issue can quickly find help and the author gets credit. 🙂
