Select Page

Troubleshoot BIG-IP Using Ssldump

by | 6-Jun-2020 | ADC, F5, LTM

Applied version

  • BIG-IP LTM
    Focus on version 15.X, 14.X
    Less focus on earlier version

Troubleshoot BIG-IP Using Ssldump

 

(1) Capturing The Target Traffic Using Tcpdump

Common Tcpdump syntax

  • #tcpdump -vvv -s0 -nni external -w /var/tmp/www-ssl-client.pcap host 10.1.1.100 and port 443
  • #tcpdump -vvv -s0 -nni internal -w /var/tmp/www-ssl-server.pcap host 192.168.22.33 and net 10.1.1.0/24 and port 443
  • #tcpdump -vnni 0.0:nnnp -s0 -w /var/tmp/www-ssl-client.pcap host 192.168.22.33 and host 10.1.1.100 and port 443

 

For more information, refer to the Troubleshoot BIG-IP Using Tcpdump.

 

(2) Examining the SSL handshake and other SSL record messages

Ssldump Syntax

#ssldump -Aed -nr /path/to/capture_file (To displays all of the SSL record messages)

#ssldump -Aed -r /path/to/capture_file -k /path/to/private_key (To displays all of the SSL record messages and decrypted application data)

#ssldump -r /path/to/capture_file -k /path/to/private_key -M /path/to/pre-master-key_log_file (To create a pre-master secret key log file)

Options:

  • -r To specify the path and name of the tcpdump capture file
  • -n Do not resolve host names
  • -A Print all fields (ssldump, by default, prints only the most interesting)
  • -e Print absolute timestamps
  • -d Display application data, including traffic before session initiates
  • -k To specify the path and name of the server’s private key
  • -M Output a pre-master secret log file (v. 11.2.0 and later)

 

SSL Handshake Overview

SSL connections are established on top of an existing TCP connection using an SSL handshake that accomplishes the following:

  • The client and server negotiate security capabilities, such as the public-key algorithm, the symmetric key algorithm, and compression algorithms.
  • The server transmits its certificate to the client, allowing the client to validate the identity of the server.
  • The client and server exchange session key information.
  • The client may also send its certificate to the server, allowing the server to validate the identity of the client.

 

Example

[root@ltm101:Active:Standalone] config # tcpdump -vnni 0.0:nnnp -s0 -w /var/tmp/www-ssl-client.pcap host 192.168.201.10 and tcp port 443
tcpdump: listening on 0.0:nnnp, link-type EN10MB (Ethernet), capture size 65535 bytes
^C348 packets captured
348 packets received by filter
0 packets dropped by kernel

[root@ltm101:Active:Standalone] config # ssldump -Aed -nr /var/tmp/www-ssl-client.pcap >> /var/tmp/www-ssl-client.pcap.txt

[root@ltm101:Active:Standalone] config # more /var/tmp/www-ssl-client.pcap.txt

Tcpdump syntax (Figure 1)

  • Ssldump syntax, Client Hello (Figure 2)
  • Server Hello, Certificate, ServerKeyExchange, ServerHelloDone (Figure 3)
  • ClientKeyExchange, ChangeCipherSpec, Alert, TCP FIN (Figure 4)

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *