On BIG-IP VE TMOS v12.1.2 I tested a different approach:
A "frontend" virtual server terminates SSL by using a client-ssl profile but does not re-encrypt (no server-ssl profile assigned).
Instead the "frontend" virtual server has an iRule (please see below) to forward traffic to a 2nd "internal" virtual server on the same BIG-IP device (no pool assigned):
when CLIENTSSL_HANDSHAKE {
virtual vs_internal
}
The "internal" virtual server will re-encrypt by using a server-ssl profile to the pool of real servers.
The tcpdump will target the interface "
0.0:nnn
" (capturing "F5 internal noise" to be decoded by the F5 wireshark plugin) and filters on the "internal" virtual servers IP address.
Please make sure to capture the whole packet "
-s 0
" into the raw dump file specified by "
-w
" and limit the number of packets i.e "
-c 10000
":
tcpdump -i 0.0:nnn -s 0 -c 10000 -w /var/tmp/internal.001.pcap host