decrypted tcpdump capture without using an iRule using tshark

Question

Hi Folks ,&nbsp;I have used this Article :&nbsp;https://my.f5.com/manage/s/article/K31793632Everything works well , and I could decrypt my captures but with using the manual way of collecting the Key log pms.&nbsp;but this way will take too much to export each key log for each stream so if I took two samples from Key log entries in two different ssl streams and create the pms file , I see that not whole capture be decrypted &gt;&gt;&gt; that's expected , because I haven't exported all key log entries in F5 TLS.&nbsp;In this Article there is an automated way to export Key log entries with executing one command using tshark&nbsp;utility.&nbsp;Unfortunately this tool doesn't work with bigip bash to export Key Log , it needs others UNIX environments.&nbsp;Are there any direct method to export these Key log entries or using tshark utility but not with any Linux/UNIX environments.&nbsp;Thanks&nbsp;

jrahm · Accepted Answer

i resorted to automating the whole thing:&nbsp;https://github.com/f5-rahm/pcap_utils/blob/main/TLSv1_3_captures.py
&nbsp;

ca_valli · Answer

If you need an on/off trigger for decrypted traffic, I still prefer using the iRule way instead of changing DB keys, so it just logs SSL info for the specific aplication traffic I'm troubleshooting and I can turn it off when I'm done.&nbsp;

f5_design_engineer · Answer

Hi Mohammed,
 Have you tried before using Wireshark with SSLDUMP. If not its a very good to go through these articles to get a glimpse of SSLDUMP with Wireshark
https://my.f5.com/manage/s/article/K10209
https://community.f5.com/t5/technical-articles/troubleshooting-tls-problems-with-ssldump/ta-p/277118
&nbsp;

F5's tcpdump option can decrypt PCAP data in a packet capture.&nbsp;The data can be imported into Wireshark to decrypt the data within each packet.&nbsp;

&nbsp;

To use the new functionality, add&nbsp;--f5 ssl&nbsp;to the tcpdump flags.&nbsp;This removes the
requirement for an iRule to create a Pre Master Secret file.&nbsp;

&nbsp;

To run ssldump using the&nbsp;-M&nbsp;option to create a pre-master secret key log file, you can:&nbsp;

&nbsp;

Log in to the BIG-IP command line
Perform the following procedure

SSLDUMP on the cli of the F5 can also decrypt traffic fine with the private key, for all ports.
Here is a very wonderful &amp;&amp; one of my favorite Article with all the step by step guide
https://community.f5.com/t5/technical-articles/decrypting-tls-traffic-on-big-ip/ta-p/280936
otherwise you can&nbsp;
Automate Pre Master Secret File Creation
&nbsp;
https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab10.html
https://community.f5.com/t5/technical-forum/ssldump-not-working-for-client-side-decrypt-tried-everything/td-p/36489
https://community.f5.com/t5/codeshare/shortcut-script-to-easily-extract-the-pre-master-secret-from-a/ta-p/287772
You can also Search for a keyword SSLDUMP in Devcentral Articles for many more such wonderful articles and discussions
https://community.f5.com/t5/forums/searchpage/tab/message?advanced=false&amp;allow_punctuation=false&amp;q=ssldump

HTH
🙏

&nbsp;

mohamed_ahmed_kansoh · Answer

thanks CA_Valli ,&nbsp;
yes I prefer Decryption irule too.but I aimed to find a replacement and I found the DB method but it needs some facilities to obtain the PMS Key.&nbsp;

mohamed_ahmed_kansoh · Answer

Thanks alot JRahm&nbsp;

Forum Discussion

decrypted tcpdump capture without using an iRule using tshark

5 Replies

Automate Pre Master Secret File Creation

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Decrypting TLS with the tcpdump sslprovider

Tcpdump Capture