Wireshark not displaying application data for tcpdump using ssldump
Hello everyone I have been testing SSLdump and I have ran into what seems to be a Wireshark problem but I'm not sure. I have added a custom Client SSL Profile to exclude Diffie-Hellman algorithms using the following Cipher Option: NATIVE:!DH:!EDH:!DHE:!ADH:!ECDHE I have also adjusted the Cache Size to 0 sessions and Cache Timeout to 1 seconds so that we do not cache anything. During the SSL Handshake we select the TLS_RSA_WITH_AES_256_CBC_SHA256 and when running the SSLdump command I get entries in the PMS log AND I can see decrypted data. When I launch Wireshark and check the tcpdump + load the PMS I do not see any difference at all. When I check the follow SSL Stream I can see the decrypted data that I saw in the SSLdump. But the thing is I want to see the packets in the packet list so I can follow the SYN/ACK packets with the GET requests. But I do not see any GET requests at all. I noticed that when I have not added the PMS key I do not have any packet that states "Application Data" and I believe here is the problem. Here is how it looks when reviewing an F5 technician doing it: No PMS: With PMS: Here is how my output looks (No PMS): The output I can see in my ssldump is this: 1 10 1476792858.7953 (0.0006) C>SV3.3(336) application_data --------------------------------------------------------------- GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: sv-SE User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: [Hidden] Connection: Keep-Alive Cache-Control: no-cache So there are application data but Wireshark does not want to display it in the Packet List. I'm currently running: * Wireshark - Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12) * F5: 12.1.0 Build: 0.0.1434 I'm running the exact same tcpdump command as the F5 engineer. You guys got any idea on how to display the packets in the Packet List?
Wireshark F5 Plugin - Unable to locate file
The last couple of hours I've spent attempting to install the F5 plugin for Wireshark. The directions I've followed are on this DevCentral article. Here's where I am at: 1) Downloaded the Wireshark source tarball. 2) Extracted the file. Step 3 says to extract the files in the F5 package, but there is no F5 package there. I have a wireshark-plugin.f5ethtrailer.bin.1.11.zip file I downloaded from DevCentral, but that's not what is being asked for I don't believe. There's a comment in the Notes section that says the following: When compiling on Windows, you need to pretty much build the entire WS distro due to the way Windows handles DLLs. For Linux (and I believe Mac, but I’m not sure), you can get the sources all setup, add in the plugin source, run configure and then run make only in the plugins/f5ethtrailer directory This makes me believe I need to uninstall and reinstall Wireshark entirely. Is that so? Not sure what I'm doing wrong here. Any help would be appreciated!
Hello, DevCentral! New F5 DevCentral member saying hi (DevOps)
Hey guys, I'd like to introduce myself as a new F5 DevCentral team member and to say I'm very happy to be part of this outstanding community. I've been working for F5 (based in the UK) for over 4 years and mostly for our Engineering department where I gained experience with a variety of technology: SSL/TLS, HTTP, HTTP/2, OSPF/BGP, Cloud and DevOps. I'm specifically more focused on DevOps content here so feel free to let me know if there is any topic you'd like to be covered or any ideas suggestion. Also, don't hesitate to reach out to me ! :) Cheers. RodrigoBest methods to co-relate the client and server side flows
Team, based on a captured pcap where both client and server side conversations have been captured, could you recommend the best ways to correlate which client side TCP stream for example relates with the TCP stream client side. I am aware of the flow ID and peer ID usage when using F5Trailer and -nnn but have found on some occasions that the relation is incorrect (e.g. F5 sends RST to Client claiming RST on remote server but server side connection was properly closed), even F5 TAC has mentioned that -p also gives wrong result sometimes. So I am looking for definite ways without replying heavily on the F5 Eth trailers, at present I am filtering using one serverside stream and then going forward on the stream +1 and so on till I see some matching like RST occurring on both Client and Server end on wireshark eg. tcp.stream == 10 or tcp.stream == 12
f5 tcp parameters
Hello All, I have issue where I see no response from f5 VIP(SYN_ACK) to client SYN. Per my understanding, f5 creates session one towards client and another session with pool member. I have taken packet capture f5 -> Pool member and I could not correlate packets between f5-> pool member with client -> f5 VIP, which session correlates with which back end session(no SNAT). Unfortunately, I don't have CLI Access to F5 to run tcpdump, using remote packet filter tool to get captures. Which tcp parameters are common between client -> f5 vip and f5 -> pool member to follow tcp stream ?
Resumed SSL session and decryption
Hi, I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured. Seems that it's not possible even when pre-master secret was captured via ssldump. But maybe I am doing something wrong? Scenario: tcpdump used to capture first session with full SSL Handshake ssldump used to extract pre-maset secret to the file Wireshark is capturing traffic including first session - everything is encrypted pre-master secret file configured in Wireshark - traffic decrypted, including following resumed sessions (same is true when private key is configured in Wireshark) New capture in Wireshark performed Client and server are still resuming SSL session (same SessionID reported in ClientHello) - no traffic decrypted. Is above correct? I assumed that when original pre-master secret is know to Wireshark it can generate master key and use it for resumed sessions even without seeing original full SSL Handshake. Am I missing something here? Is that just limitation of Wireshark or it is not technically possible at all to decrypt resumed session knowing original pre-master key. Sure I am talking about RSA non ephemeral cipher suites, in this case Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Piotr
Resumed SSL session and decryption
Hi, I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured. Seems that it's not possible even when pre-master secret was captured via ssldump. But maybe I am doing something wrong? Scenario: tcpdump used to capture first session with full SSL Handshake ssldump used to extract pre-maset secret to the file Wireshark is capturing traffic including first session - everything is encrypted pre-master secret file configured in Wireshark - traffic decrypted, including following resumed sessions (same is true when private key is configured in Wireshark) New capture in Wireshark performed Client and server are still resuming SSL session (same SessionID reported in ClientHello) - no traffic decrypted. Is above correct? I assumed that when original pre-master secret is know to Wireshark it can generate master key and use it for resumed sessions even without seeing original full SSL Handshake. Am I missing something here? Is that just limitation of Wireshark or it is not technically possible at all to decrypt resumed session knowing original pre-master key. Sure I am talking about RSA non ephemeral cipher suites, in this case Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Piotr
MAC-address of physical interface where only a HB-VLAN is assigned seen in Wireshark for user-traffic
During troubleshooting in Wireshark I noticed that the destination MAC-address of an incoming packet is the one of physical interface 1.1, whereas the source MAC-address of the same packet in the outgoing context is the one of the correct VLAN. For your information: it's running on 11.5.4 HF2 1.1 & 1.2 as a LACP-Trunk with just one VLAN for heartbeat, sync and mirroring 1.3 - 1.6 as a LACP-Trunk with all required user VLANs we are also using Route Domains Now the question, is this somehow normal? Where does this come from and what does this mean? How can I further analyze this or do you need any more details? Thank you! Ciao Stefan :)
