Decrypt with tcpdump --f5 ssl

Beginning with v15.x of BIG-IP there is a tcpdump option that has been added that removes the requirement for an iRule to create a Pre Master Secret file. A Pre Master Secret file is used to decrypt the PCAP data in a packet capture. It can be imported into Wireshark to decrypt the data within each packet. In order to do this do the following:

  1. SSH using Putty into the BIG-IP01 box.

  2. Enable the tcpdump.sslprovider db varialbe.

    tmsh modify sys db tcpdump.sslprovider value enable

  3. Now when you take a packet capture you need to add --f5 ssl to the end of your command like this:

    tcpdump -nni 0.0:nnn -s0 -w /var/tmp/hackazon-ssl.pcap host 10.1.20.103 --f5 ssl

    Note

    Notice that we've got a warning message because Master Secret will be copied to tcpdump capture itself, so we need to be careful with who we share such capture with.

  4. Now that the packet capture is running open Chrome and click on the Hackazon link and browse around the website.

  5. Stop the packet capture with Ctrl + C.

  6. Start WINSCP from the jumpbox and copy the hackazon-ssl.pcap file from the /var/tmp directory.

  7. Open Wireshark and open the hackazon-ssl.pcap file.

  8. Once we have the packet capture we will also need to enable the F5 TLS protocols in Wireshark:

    1. Go to Analyze, Enable Protocols

      ../../_images/enable-protocols.jpeg

    2. Search for F5 and check F5 TLS:

      ../../_images/enable-f5tls.jpeg

  9. Apply the following filter in Wireshark: f5ethtrailer.tls.keylog

  10. Now expand the F5 Ethernet Trailer Protocol, then F5 TLS on any of the packets.

  11. If you right click the Keylog entry and then select copy, and then value, this will put the keylog value into your clipboard and you can manually build a Pre Master Secret Log file:

    ../../_images/keylogvalue.png

  12. Now you would open a notepad document and paste the clipboard value into the doc and save it as session.pms. You would need to do this for every packet that has the f5ethtrailer.tls.keylog value which could take a long time.

  13. The Pre Master Secret file will look similar to this after creating:

    ../../_images/presecretfile.png

Automate Pre Master Secret File Creation

  1. Open a Command Prompt in your RDP Session. Run the following command:

    "c:\Program Files\Wireshark"\tshark.exe -r c:\users\user\Documents\hackazon-ssl.pcap -Y "f5ethtrailer.tls.keylog" -T fields -e f5ethtrailer.tls.keylog >> c:\users\user\Documents\session.pms

    Note

    The command is in the format of: "tshark.exe -r <packet capture file> -Y "f5ethtrailer.tls.keylog" -T fields -e f5ethtrailer.tls.keylog >> <file to write to>"

    The -Y sets a display filter, the -T says to look for Field values, -e pulls tha values from the fields.

  2. However you created the Pre Master Secret file it can now be used in Wireshark to decrypt the traffic following instructions on the next page.