This article describes two ways to perform a typical network administrator task: collection and analysis of encrypted network traffic.
In both cases, the necessary tools are:
a. Wireshark – packet analyzer, one of the basic tools for the network administrator’s work,
b. TCPDump – a tool for collecting network packets. In the case of BIG-IP systems, the tool is pre-installed and available to the administrator after logging into F5 BIG-IP via SSH (in bash mode).
The first method of traffic decryption is described in detail in the F5 documentation which can be found here: https://support.f5.com/csp/article/K31793632
Note: TMOS version 15.0.0 or newer is required
a. Configuration of the sys db tcpdump.sslprovider system variable, which allows you to create data necessary to decrypt packets in Wireshark
tmsh modify sys db tcpdump.sslprovider value enable
The change is assumed to be safe and should not impact traffic, however, in the case of production or heavily loaded systems, editing this parameter should be done during maintenance window.
b. Collecting a specific traffic and saving it in a .pcap file using TCPDump:
tcpdump -s0 -nni 0.0:nnn –f5 ssl host -vw /var/tmp/decrypt.pcap
Note: The .pcap files collected using the command mentioned above contain information related to the SSL/TLS session. Take caution when sharing such files.
c. Using the tshark tool, prepare the Pre-Master Secret Log file:
tshark -r decrypt.pcap -Y f5ethtrailer.tls.keylog -Tfields -e f5ethtrailer.tls.keylog | sed ‘s/,/n/g’ > ./pre_master_log.pms
Note: tshark should not be run directly on BIG-IP.
To do this, use another Linux/Unix or Windows host with tshark installed.
The file prepared in this way should be transferred to the station with the Wireshark program installed.
d. If possible, disable SSL/TLS data collection in packets collected by TCPDump:
tmsh modify sys db tcpdump.sslprovider value disable
e. Wireshark preparation:
1) Analyze tab -> Enabled Protocol -> select F5 TLS*
Manually creating the pre_master_log.pms file
Load the file for analysis, enter f5ethtrailer.tls.keylog in the filter field
In the first packet found, expand the details
Packet Details > F5 Ethernet Trailer Protocol > F5 TLS
copy the Keylog entry: to a new file named pre_master_log.pms (the given name is required and cannot be different)
Repeat the extraction of Keylog entries: for each subsequent session to be analyzed
3) Upload the pre_master_log.pms file for configuration
Edit tab > Preferences > Protocols > TLS
4) If the procedure is carried out correctly, the recorded traffic has been decrypted and is ready for further analysis.
The second method assumes the creation of a dedicated Virtual Server (VS) and iRule, which will be used to redirect traffic and decrypt it from the selected VS.
The advantage of this method is the simplicity of operation and its universality – once prepared, the configuration can be used many times.
1. Preparation of the VS that will decrypt the traffic:
Name: e.g. DECRYPT_VS – it is important to use the same name in iRule,
Destination Address/Mask: e.g. 184.108.40.206 – any, but must not collide with other addresses used in the network
Service Port: 443
Protocol Profile (Client): f5-tcp-lan
HTTP Profile (Client): http
SSL Profile (Client): none
SSL Profile (Server): same as for VS whose traffic is to be decrypted,
VLANs and Tunnels: Enabled on… > Selected: empty list,
Source Address Translation: Auto Map,
Pool: same as for VS whose traffic is to be decrypted
2. Prepare an iRule (e.g. DECRYPT_IRULE) to redirect traffic:
3. After preparing VS and iRule, collect traffic using TCPDump:
E.g. tcpdump -v -s0 -nni 0.0:nnn host 220.127.116.11 -w /var/tmp/
Thank you for reading our article! 😉