How do I decrypt pcaps from the selfIP to Pool members for health monitor traffic?

K2 · ‎13-Oct-2022

I can apply and irule and decrypt pcaps for a conversation with a cleint to virtual server and the server-side, but cannot find any documentation on how to get the Pre Master Secret keys for a health monitor conversation.

Nikoolayy1 · ‎13-Oct-2022

I am not aware of any way but maybe you could enable logging under a pool member and see what you want?

https://support.f5.com/csp/article/K12531

https://support.f5.com/csp/article/K13522220

Juergen_Mang · ‎13-Oct-2022

My TLS decrypt script should also decrypt monitor traffic.

https://community.f5.com/t5/codeshare/decrypting-tls-with-the-tcpdump-sslprovider/ta-p/298680

K2 · ‎14-Oct-2022

I'm running V14.1.5.1, so to the best of my knowledge "sys db tcpdump.sslprovider" is not available. thanks anyway.

Paulius · ‎01-Nov-2022

@K2Your best bet is to capture the traffic and save it to a file using the following link.

https://support.f5.com/csp/article/K411

Once you have the file saved then transfer it to your PC/laptop/server and decrypt the traffic using wireshark and the following link.

https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

I don't believe you can really do this any other way that is clean.

boneyard · ‎20-Nov-2022

In general good information, but the question is here how to get that key log file information. For a health monitor you don't really seem to have a way.

You can just do curl with the same content. Else perhaps have a look at the server logs?

DevCentral

How do I decrypt pcaps from the selfIP to Pool members for health monitor traffic?

MFA required on DevCentral