Forum Discussion

rafaelbn's avatar
rafaelbn
Icon for Cirrostratus rankCirrostratus
Sep 11, 2020
Solved

Tcpdump and v15.1.x. --f5 ssl and the -p flag

Hello Devs! How's everybody doing? I was wandering if it's safe (as in it's working properly and dumping the captures correctly) to use tcpdump with --f5 ssl and p flags? For example: A standar...
application delivery
BIG-IP
LTM
  • Andrew-F5's avatar
    Andrew-F5
    Sep 15, 2020

    As stated in our man page for tcpdump the "--f5 ssl" flag should be used with caution and only for troubleshooting.

    I think everyone has a unique approach to capturing data and there are many ways to accomplish the same task so there really isn't an "approved" method, if the syntax you're using meets your goal and functions then you're set. For example you can also use an iRule to gather client_random and master keys to the same end.

    when CLIENTSSL_HANDSHAKE {
	if { [IP::addr [getfield [IP::client_addr] "%" 1] equals client_IP_addr] } {
		log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
		log local0. "CLIENT_Side_IP:TCP source port: [IP::client_addr]:[TCP::remote_port]"
		log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
	}
}
    Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master secrets.  This enables some packet capture analysis tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes, and handle captured data with caution.
 
For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be used in Common Criteria mode. Common Criteria mode is controlled by the DB variable security.commoncriteria.
    --f5   Specify the providers that debug information is needed from.
 
              all gets debug from every provider.
 
              none turns off debug from every provider.
 
              <provider1>:<provider1-option>,<provider2>:<provider2-option>  can  be  used  to  enable debug information from those providers only, and
              provider specific options can be supplied to those providers.
 
              Noise Provider
 
              "--f5 n" enables noise (low, medium and high). "--f5 n:z" turns off all noise.
 
              ePVA Provider
 
              "--f5 epva:hwoff" enables debug information related to hardware offloading from the ePVA provider.
 
              "--f5 epva:sc" enables debug information related to syncookies from the ePVA provider.
 
              "--f5 epva:all" enables all debug information from the ePVA provider.
 
              SSL Provider
 
              Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master  secrets.   This  enables  some
              packet  capture  analysis  tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes,
              and handle captured data with caution.
 
              For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be
              used in Common Criteria mode.  Common Criteria mode is controlled by the DB variable security.commoncriteria.
 
              "--f5 ssl" enables debug information related to ssl/tls secrets (like master secrets) and randoms (like client random).
 
              "--f5  ssl:v"  enables  additional  debug information related to other lesser used secrets (like tls1.3 exporter secret) and other lesser
              used data (like session id).
 
              Example of using multiple providers
 
              "--f5 n,epva:all" gets debug from the 'noise' and 'epva' providers. The noise provider is supplied with no options, so it works with  its
              default options. The epva provider is supplied with the 'all' option.
 
        expression
              selects  which  packets  will  be dumped.  If no expression is given, all packets on the net will be dumped.  Otherwise, only packets for
              which expression is `true' will be dumped.
 
              For the expression syntax, see pcap-filter(7).
 
              The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell  arguments,  whichever  is  more
              convenient.   Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier
              to pass it as a single, quoted argument rather than to escape the Shell metacharacters.  Multiple arguments are concatenated with  spaces
              before being parsed.
Andrew-F5's avatar
Andrew-F5
Icon for Employee rankEmployee
Sep 15, 2020

As stated in our man page for tcpdump the "--f5 ssl" flag should be used with caution and only for troubleshooting.

I think everyone has a unique approach to capturing data and there are many ways to accomplish the same task so there really isn't an "approved" method, if the syntax you're using meets your goal and functions then you're set. For example you can also use an iRule to gather client_random and master keys to the same end.

when CLIENTSSL_HANDSHAKE {
	if { [IP::addr [getfield [IP::client_addr] "%" 1] equals client_IP_addr] } {
		log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
		log local0. "CLIENT_Side_IP:TCP source port: [IP::client_addr]:[TCP::remote_port]"
		log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
	}
}
Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master secrets.  This enables some packet capture analysis tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes, and handle captured data with caution.
 
For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be used in Common Criteria mode. Common Criteria mode is controlled by the DB variable security.commoncriteria.
--f5   Specify the providers that debug information is needed from.
 
              all gets debug from every provider.
 
              none turns off debug from every provider.
 
              <provider1>:<provider1-option>,<provider2>:<provider2-option>  can  be  used  to  enable debug information from those providers only, and
              provider specific options can be supplied to those providers.
 
              Noise Provider
 
              "--f5 n" enables noise (low, medium and high). "--f5 n:z" turns off all noise.
 
              ePVA Provider
 
              "--f5 epva:hwoff" enables debug information related to hardware offloading from the ePVA provider.
 
              "--f5 epva:sc" enables debug information related to syncookies from the ePVA provider.
 
              "--f5 epva:all" enables all debug information from the ePVA provider.
 
              SSL Provider
 
              Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master  secrets.   This  enables  some
              packet  capture  analysis  tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes,
              and handle captured data with caution.
 
              For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be
              used in Common Criteria mode.  Common Criteria mode is controlled by the DB variable security.commoncriteria.
 
              "--f5 ssl" enables debug information related to ssl/tls secrets (like master secrets) and randoms (like client random).
 
              "--f5  ssl:v"  enables  additional  debug information related to other lesser used secrets (like tls1.3 exporter secret) and other lesser
              used data (like session id).
 
              Example of using multiple providers
 
              "--f5 n,epva:all" gets debug from the 'noise' and 'epva' providers. The noise provider is supplied with no options, so it works with  its
              default options. The epva provider is supplied with the 'all' option.
 
        expression
              selects  which  packets  will  be dumped.  If no expression is given, all packets on the net will be dumped.  Otherwise, only packets for
              which expression is `true' will be dumped.
 
              For the expression syntax, see pcap-filter(7).
 
              The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell  arguments,  whichever  is  more
              convenient.   Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier
              to pass it as a single, quoted argument rather than to escape the Shell metacharacters.  Multiple arguments are concatenated with  spaces
              before being parsed.