Decrypt with tcpdump --f5 ssl

Beginning with v15.x of BIG-IP there is a tcpdump option that has been added that removes the requirement for an iRule to decrypt TLS with a Pre Master Secret file. In order to do this do the following:

  1. Enable the tcpdump.sslprovider db varialbe.

    tmsh modify sys db tcpdump.sslprovider value enable
  2. Now when you take a packet capture you need to add --f5 ssl to the end of your command like this:

    tcpdump -nni 0.0:nnnp -s0 -w /var/tmp/hackazon-ssl.pcap host --f5 ssl

    Notice that we've got a warning message because Master Secret will be copied to tcpdump capture itself, so we need to be careful with who we share such capture with.

  3. Once we have the packet capture we will also need to enable the F5 TLS protocols in Wireshark:

    1. Go to Analyze, Enable Protocols

    2. Search for F5 and check F5 TLS:

  4. Now you can expand the F5 TLS options on any of the packets that meet this filter: 'f5ethtrailer.tls.keylog'

  5. If you right click the log and copy then select value, this will put the keylog value into your clipboard and you can manually build a Pre Master Secret Log file:

  6. Make sure to copy all of the keylog values from each instance if you want to decrypt the whole file. Otherwise you can copy the values from the streams that you are looking for specifically.

  7. The Pre Master Secret file will look similar to this after creating:

  8. You can also automate this by doing the following:

  9. Open your packet capture in Wireshark, and set the following display filter: 'f5ethtrailer.tls.keylog'

  10. Click on File, Export Packet Dissections, As JSON:

  11. In the Packet Range select Displayed and All Packets, give the file a name and click on Save.

  12. Now load the JSON file onto a linux system (your BIG-IP would work) and run the following command:

    cat <json file> | jq -r .[]._source.layers.f5ethtrailer'."f5ethtrailer.tls"."f5ethtrailer.tls.keylog"' >> /var/tmp/session.pms
  13. However you created the Pre Master Secret file it can now be used in Wireshark to decrypt the traffic following instructions on next page.

Now Follow this link instead of clicking on next in order to see how to import the PreMasterSecret in Wireshark: