CirrostratusTcpdump and v15.1.x. --f5 ssl and the -p flag
Hello Devs! How's everybody doing?
I was wandering if it's safe (as in it's working properly and dumping the captures correctly) to use tcpdump with --f5 ssl and p flags?
For example: A standard virtual-server on 192.168.1.1 port 443. Client-ssl profile and server-ssl profiles enabled. No SNAT is in place.
I would capture traffic from client 10.0.0.1 like this:
tcpdump -nni 0.0:nnnp host 10.0.0.1 -s0 --f5 ssl -w /shared/tmp/client_issue.pcap -v
My understanding is that with the 0.0:nnnp flag, BIG-IP will mark every flow that this traffic generates to be capture. And the --f5 ssl flag with take note of the CLIENT_RANDOM aspect of both client-side and server-side TLS (since this virtual-server have both client-ssl and server-ssl).
Has anybody used this technique? I read about it on a devcentral article by Rodrigo Albuquerque: https://devcentral.f5.com/s/articles/Decrypting-TLS-traffic-on-BIG-IP
I tested on my lab and it seems to be working. I actually tested with ECDHE, EDH and RSA key-exchange. All worked as expected. The thing is that I heard some people saying that this --f5 ssl could not be production ready.
Has anyone used and approves this method?
Cheers, Rafael.
As stated in our man page for tcpdump the "--f5 ssl" flag should be used with caution and only for troubleshooting.
I think everyone has a unique approach to capturing data and there are many ways to accomplish the same task so there really isn't an "approved" method, if the syntax you're using meets your goal and functions then you're set. For example you can also use an iRule to gather client_random and master keys to the same end.
when CLIENTSSL_HANDSHAKE { if { [IP::addr [getfield [IP::client_addr] "%" 1] equals client_IP_addr] } { log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]" log local0. "CLIENT_Side_IP:TCP source port: [IP::client_addr]:[TCP::remote_port]" log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]" } }Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master secrets. This enables some packet capture analysis tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes, and handle captured data with caution. For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be used in Common Criteria mode. Common Criteria mode is controlled by the DB variable security.commoncriteria.--f5 Specify the providers that debug information is needed from. all gets debug from every provider. none turns off debug from every provider. <provider1>:<provider1-option>,<provider2>:<provider2-option> can be used to enable debug information from those providers only, and provider specific options can be supplied to those providers. Noise Provider "--f5 n" enables noise (low, medium and high). "--f5 n:z" turns off all noise. ePVA Provider "--f5 epva:hwoff" enables debug information related to hardware offloading from the ePVA provider. "--f5 epva:sc" enables debug information related to syncookies from the ePVA provider. "--f5 epva:all" enables all debug information from the ePVA provider. SSL Provider Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master secrets. This enables some packet capture analysis tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes, and handle captured data with caution. For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be used in Common Criteria mode. Common Criteria mode is controlled by the DB variable security.commoncriteria. "--f5 ssl" enables debug information related to ssl/tls secrets (like master secrets) and randoms (like client random). "--f5 ssl:v" enables additional debug information related to other lesser used secrets (like tls1.3 exporter secret) and other lesser used data (like session id). Example of using multiple providers "--f5 n,epva:all" gets debug from the 'noise' and 'epva' providers. The noise provider is supplied with no options, so it works with its default options. The epva provider is supplied with the 'all' option. expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. For the expression syntax, see pcap-filter(7). The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier to pass it as a single, quoted argument rather than to escape the Shell metacharacters. Multiple arguments are concatenated with spaces before being parsed.
