rafaelbn
Sep 11, 2020Cirrostratus
Solved
Tcpdump and v15.1.x. --f5 ssl and the -p flag
Hello Devs! How's everybody doing? I was wandering if it's safe (as in it's working properly and dumping the captures correctly) to use tcpdump with --f5 ssl and p flags? For example: A standar...
- Sep 15, 2020
As stated in our man page for tcpdump the "--f5 ssl" flag should be used with caution and only for troubleshooting.
I think everyone has a unique approach to capturing data and there are many ways to accomplish the same task so there really isn't an "approved" method, if the syntax you're using meets your goal and functions then you're set. For example you can also use an iRule to gather client_random and master keys to the same end.
when CLIENTSSL_HANDSHAKE { if { [IP::addr [getfield [IP::client_addr] "%" 1] equals client_IP_addr] } { log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]" log local0. "CLIENT_Side_IP:TCP source port: [IP::client_addr]:[TCP::remote_port]" log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]" } }
Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master secrets. This enables some packet capture analysis tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes, and handle captured data with caution. For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be used in Common Criteria mode. Common Criteria mode is controlled by the DB variable security.commoncriteria.
--f5 Specify the providers that debug information is needed from. all gets debug from every provider. none turns off debug from every provider. <provider1>:<provider1-option>,<provider2>:<provider2-option> can be used to enable debug information from those providers only, and provider specific options can be supplied to those providers. Noise Provider "--f5 n" enables noise (low, medium and high). "--f5 n:z" turns off all noise. ePVA Provider "--f5 epva:hwoff" enables debug information related to hardware offloading from the ePVA provider. "--f5 epva:sc" enables debug information related to syncookies from the ePVA provider. "--f5 epva:all" enables all debug information from the ePVA provider. SSL Provider Using the "ssl" option captures additional information related to the SSL/TLS connections, such as master secrets. This enables some packet capture analysis tools to decrypt the SSL/TLS payload in the captured packets. Use only as needed for troubleshooting purposes, and handle captured data with caution. For the "ssl" provider to work, the DB variable tcpdump.sslprovider needs to be set to "enable". Additionally, the ssl provider cannot be used in Common Criteria mode. Common Criteria mode is controlled by the DB variable security.commoncriteria. "--f5 ssl" enables debug information related to ssl/tls secrets (like master secrets) and randoms (like client random). "--f5 ssl:v" enables additional debug information related to other lesser used secrets (like tls1.3 exporter secret) and other lesser used data (like session id). Example of using multiple providers "--f5 n,epva:all" gets debug from the 'noise' and 'epva' providers. The noise provider is supplied with no options, so it works with its default options. The epva provider is supplied with the 'all' option. expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. For the expression syntax, see pcap-filter(7). The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier to pass it as a single, quoted argument rather than to escape the Shell metacharacters. Multiple arguments are concatenated with spaces before being parsed.