F5 DUMP

Subscribe to posts

Ansible and F5

posted 3 May 2018, 07:01 by Donald Ross [ updated 3 May 2018, 13:41 ]

~~~~~still to edit~~~~~~~

Install OS - Ubuntu 16.04 #https://github.com/npearce/F5-iApps_and_Ansible-playbooks

download ansible-tower setup

wget "http://releases.ansible.com/ansible-tower/setup/ansible-tower-setup-latest.tar.gz"

Setup -

http://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html

http://docs.ansible.com/ansible-tower/3.0.3/html/quickstart/index.html

tar xvf ansible-tower-setup-latest.tar.gz

cd ansible-tower-setup-3.2.4/

sudo nano inventory

-enter passwords in any password field

sudo ./setup.sh

sudo apt install python3-pip

sudo apt install python-pip

sudo pip install f5-sdk bigsuds netaddr deepdiffnetaddr deepdiff

*video*

basic setup referance

https://www.youtube.com/watch?v=eu_95ItWmyE

https://devcentral.f5.com/articles/dig-deeper-into-ansible-and-f5-integration-25984

ref:

https://github.com/payalsin/f5-ansible/tree/master/playbooks

https://devcentral.f5.com/articles/dig-deeper-into-ansible-and-f5-integration-25984

http://jsonviewer.stack.hu/

https://jsonformatter.org/yaml-validator

http://warfares.github.io/pretty-json/

https://github.com/F5Networks/f5-ansible/tree/devel/library/modules

https://www.youtube.com/watch?v=TsUIRtT80QU

http://appsvcs-integration-iapp.readthedocs.io/en/develop/userguide/module1/module1.html

F5 SNMP

posted 20 Mar 2018, 03:49 by Donald Ross [ updated 20 Mar 2018, 04:22 ]

On Ubuntu install snmpwalk using

apt-get install snmp

On Ubuntu install snmpwalk using

snmpwalk -v2c -c public 192.168.2.21

snmpwalk -v2c -c SNMP_Community1 192.168.2.1 1.3.6.1.4.1.21067.2.1.2.4.2

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-3-0/8.html

F5 logs

posted 20 Mar 2018, 03:47 by Donald Ross

*** add some more info***

View zipped log

zcat ltm.1.gz

F5 connection table

posted 1 Mar 2018, 08:51 by Donald Ross [ updated 1 Mar 2018, 09:40 ]

#delete connection

tmsh delete /sys connection cs-client-addr 172.10.50.20

#show connections

show sys connection cs-client-addr 192.168.100.22

#Other options

Options:

all-properties exa kil peta save-to-file yotta |

default gig meg raw tera zetta

Properties:

age cs-client-addr cs-server-addr protocol ss-client-port ss-server-port {

connection-id cs-client-port cs-server-port ss-client-addr ss-server-addr type

show sys connection all-properties

#Examples

show sys connection

Really display all connections? (y/n) y

Sys::Connections

10.102.0.1:58776 10.102.0.26:8 10.102.0.1:58776 10.102.0.26:8 icmp 4 (tmm: 0) none

192.168.51.11:56627 192.168.51.15:4353 192.168.51.11:56627 192.168.51.15:4353 tcp 2 (tmm: 0) none

10.102.0.1:58775 10.102.0.26:8 10.102.0.1:58775 10.102.0.26:8 icmp 9 (tmm: 1) none

Total records returned: 3

donald@(ltm-t1-1-dc2)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys connection all-properties

Really display all connections? (y/n) y

Sys::Connections

10.102.0.1:58784 - 10.102.0.26:8 - 10.102.0.1:58784 - 10.102.0.26:8

-------------------------------------------------------------------

TMM 0

Type self

Acceleration none

Protocol icmp

Idle Time 5

Idle Timeout 10

Unit ID 0

Lasthop /Common/vl2102 00:50:56:ab:fc:78

Virtual Path 10.102.0.26:8

Conn Id 0

ClientSide ServerSide

Client Addr 10.102.0.1:58784 10.102.0.1:58784

Server Addr 10.102.0.26:8 10.102.0.26:8

Bits In 320 320

Bits Out 320 320

Packets In 1 1

Packets Out 1 1

192.168.51.11:56627 - 192.168.51.15:4353 - 192.168.51.11:56627 - 192.168.51.15:4353

-----------------------------------------------------------------------------------

TMM 0

Type self

Acceleration none

Protocol tcp

Idle Time 2

Idle Timeout 300

Unit ID 0

Lasthop /Common/vl51 00:50:56:ab:8e:45

Virtual Path 192.168.51.15:4353

Conn Id 0

ClientSide ServerSide

Client Addr 192.168.51.11:56627 192.168.51.11:56627

Server Addr 192.168.51.15:4353 192.168.51.15:4353

Bits In 97.8M 104.7M

Bits Out 104.7M 97.8M

Packets In 140.7K 140.6K

Packets Out 140.6K 140.7K

10.102.0.1:58783 - 10.102.0.26:8 - 10.102.0.1:58783 - 10.102.0.26:8

-------------------------------------------------------------------

TMM 1

Type self

Acceleration none

Protocol icmp

Idle Time 10

Idle Timeout 10

Unit ID 0

Lasthop /Common/vl2102 00:50:56:ab:fc:78

Virtual Path 10.102.0.26:8

Conn Id 0

ClientSide ServerSide

Client Addr 10.102.0.1:58783 10.102.0.1:58783

Server Addr 10.102.0.26:8 10.102.0.26:8

Bits In 320 320

Bits Out 320 320

Packets In 1 1

Packets Out 1 1

Total records returned: 3

F5 TCPdump examples

posted 1 Mar 2018, 06:12 by Donald Ross [ updated 1 Mar 2018, 13:17 ]

Wireshark tips

-Add delta time column

SSLdump nuggets

-Version 3.0 = SSLv3,

-Version 3.1 = TLS 1.0

-Version 3.2 = TLS 1.1

-Version 3.3 = TLS 1.2

Breaking Down the TLS Handshake

TCPdump

This first dump show the external and internal conversation between the PC<-80->F5(snat)<-80->WebServer

External

donald@R2-D3:~/TCPdump_F5_301b/test80_80$ tcpdump -r 2018-02-28_19\:18\:29_external.bin

reading from file 2018-02-28_19:18:29_external.bin, link-type EN10MB (Ethernet)

19:18:29.068432 00:00:00:00:00:00 (oui Ethernet) > 00:00:00:00:00:00 (oui Ethernet), ethertype Unknown (0x05ff), length 248:

0x0000: 4635 2d50 7365 7564 6f2d 706b 7400 434d F5-Pseudo-pkt.CM

0x0010: 443a 2074 6370 6475 6d70 202d 6920 766c D:.tcpdump.-i.vl

0x0020: 3531 202d 6320 3130 3020 2d6e 6e6e 202d 51.-c.100.-nnn.-

0x0030: 7330 202d 7676 7620 2d77 202f 7661 722f s0.-vvv.-w./var/

0x0040: 746d 702f 3230 3138 2d30 322d 3238 5f31 tmp/2018-02-28_1

0x0050: 393a 3138 3a32 395f 6578 7465 726e 616c 9:18:29_external

0x0060: 2e62 696e 2068 6f73 7420 3139 322e 3136 .bin.host.192.16

0x0070: 382e 3130 302e 3232 2061 6e64 2031 302e 8.100.22.and.10.

0x0080: 3231 322e 302e 3236 0056 4552 3a20 3132 212.0.26.VER:.12

0x0090: 2e31 2e33 2e31 2030 2e30 2e39 0048 4f53 .1.3.1.0.0.9.HOS

0x00a0: 543a 206c 746d 2d74 312d 312d 6463 322e T:.ltm-t1-1-dc2.

0x00b0: 6d67 6d74 2e66 756c 6c70 726f 7879 2d6c mgmt.fullproxy-l

0x00c0: 6162 732e 636f 2e75 6b00 504c 4154 3a20 abs.co.uk.PLAT:.

0x00d0: 5a31 3030 0050 524f 443a 2042 4947 2d49 Z100.PROD:.BIG-I

0x00e0: 5000 5345 5353 3a20 3000 P.SESS:.0.

19:18:54.400032 IP 192.168.100.22.61957 > 10.212.0.26.http: Flags [S], seq 1099534812, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0

19:18:54.400099 IP 10.212.0.26.http > 192.168.100.22.61957: Flags [S.], seq 2915381692, ack 1099534813, win 4050, options [mss 1460,sackOK,eol], length 0

19:18:54.441192 IP 192.168.100.22.61957 > 10.212.0.26.http: Flags [.], ack 1, win 64240, length 0

19:18:54.441798 IP 192.168.100.22.61957 > 10.212.0.26.http: Flags [P.], seq 1:393, ack 1, win 64240, length 392: HTTP: GET / HTTP/1.1

19:18:54.441856 IP 10.212.0.26.http > 192.168.100.22.61957: Flags [.], ack 393, win 4442, length 0

19:18:54.445450 IP 10.212.0.26.http > 192.168.100.22.61957: Flags [P.], seq 1:619, ack 393, win 4442, length 618: HTTP: HTTP/1.0 200 OK

19:18:54.445460 IP 10.212.0.26.http > 192.168.100.22.61957: Flags [F.], seq 619, ack 393, win 4442, length 0

19:18:54.491530 IP 192.168.100.22.61957 > 10.212.0.26.http: Flags [F.], seq 393, ack 619, win 63622, length 0

19:18:54.491543 IP 10.212.0.26.http > 192.168.100.22.61957: Flags [.], ack 394, win 4442, length 0

19:18:54.491635 IP 192.168.100.22.61957 > 10.212.0.26.http: Flags [.], ack 620, win 63622, length 0

19:18:54.507629 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [S], seq 3928284592, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0

19:18:54.507687 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [S.], seq 2719480176, ack 3928284593, win 4050, options [mss 1460,sackOK,eol], length 0

19:18:54.549505 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 1, win 64240, length 0

19:18:54.549956 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [P.], seq 1:360, ack 1, win 64240, length 359: HTTP: GET /FullProxy.png HTTP/1.1

19:18:54.550011 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [.], ack 360, win 4409, length 0

19:18:54.553961 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 1:1542, ack 360, win 4409, length 1541: HTTP: HTTP/1.0 200 OK

19:18:54.557058 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 1542:2892, ack 360, win 4409, length 1350: HTTP

19:18:54.559208 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 2892:4242, ack 360, win 4409, length 1350: HTTP

19:18:54.561271 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 4242:4382, ack 360, win 4409, length 140: HTTP

19:18:54.597726 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 1542, win 64800, length 0

19:18:54.604999 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 4382, win 64800, length 0

19:18:54.607053 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 4382:6942, ack 360, win 4409, length 2560: HTTP

19:18:54.607058 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 6942:12342, ack 360, win 4409, length 5400: HTTP

19:18:54.653738 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 6942, win 64800, length 0

19:18:54.653746 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 12342:17742, ack 360, win 4409, length 5400: HTTP

19:18:54.658839 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 9642, win 64800, length 0

19:18:54.658845 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 17742:21792, ack 360, win 4409, length 4050: HTTP

19:18:54.663671 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 12342, win 64800, length 0

19:18:54.663676 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 21792:27192, ack 360, win 4409, length 5400: HTTP

19:18:54.700822 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 15042, win 64800, length 0

19:18:54.700829 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [P.], seq 27192:33022, ack 360, win 4409, length 5830: HTTP

19:18:54.700837 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [F.], seq 33022, ack 360, win 4409, length 0

19:18:54.705380 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 17742, win 64800, length 0

19:18:54.710824 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 20442, win 64800, length 0

19:18:54.719002 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 23142, win 64800, length 0

19:18:54.721754 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 25842, win 64800, length 0

19:18:54.745892 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 28542, win 64800, length 0

19:18:54.750427 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 31242, win 64800, length 0

19:18:54.753871 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [.], ack 33023, win 64800, length 0

19:18:54.753913 IP 192.168.100.22.61958 > 10.212.0.26.http: Flags [F.], seq 360, ack 33023, win 64800, length 0

19:18:54.753919 IP 10.212.0.26.http > 192.168.100.22.61958: Flags [.], ack 361, win 4409, length 0

Internal

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -i vl2102 host 10.102.0.10 and 10.102.0.26 -nnn -s0 -vvv

tcpdump: listening on vl2102, link-type EN10MB (Ethernet), capture size 65535 bytes

^[[15~17:53:41.526913 IP (tos 0x0, ttl 255, id 48655, offset 0, flags [DF], proto TCP (6), length 48)

10.102.0.10.54871 > 10.102.0.26.80: Flags [S], cksum 0x1512 (incorrect -> 0xffa8), seq 1889474781, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.528978 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.102.0.10 tell 10.102.0.26, length 53 in slot1/tmm0 lis=

17:53:41.528998 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.102.0.10 is-at 00:50:56:ab:fc:78, length 53 out slot1/tmm0 lis=

17:53:41.529791 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)

10.102.0.26.80 > 10.102.0.10.54871: Flags [S.], cksum 0x2992 (correct), seq 3730044152, ack 1889474782, win 4380, options [mss 1460,nop,nop,sackOK], length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.529801 IP (tos 0x0, ttl 255, id 48659, offset 0, flags [DF], proto TCP (6), length 40)

10.102.0.10.54871 > 10.102.0.26.80: Flags [.], cksum 0x150a (incorrect -> 0x57a0), seq 1, ack 1, win 4050, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.529808 IP (tos 0x0, ttl 255, id 48661, offset 0, flags [DF], proto TCP (6), length 475)

10.102.0.10.54871 > 10.102.0.26.80: Flags [P.], cksum 0x16bd (incorrect -> 0x78b4), seq 1:436, ack 1, win 4050, length 435: HTTP, length: 435

GET / HTTP/1.1

Host: 10.212.0.26

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Upgrade-Insecure-Requests: 1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

out slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.530918 IP (tos 0x0, ttl 64, id 55721, offset 0, flags [DF], proto TCP (6), length 40)

10.102.0.26.80 > 10.102.0.10.54871: Flags [.], cksum 0x50cf (correct), seq 1, ack 436, win 5360, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.531218 IP (tos 0x0, ttl 64, id 55722, offset 0, flags [DF], proto TCP (6), length 229)

10.102.0.26.80 > 10.102.0.10.54871: Flags [P.], cksum 0x6fc4 (correct), seq 1:190, ack 436, win 5360, length 189: HTTP, length: 189

HTTP/1.0 200 OK

Content-type: text/html

Date: Thu, 01 Mar 2018 18:44:43 GMT

Connection: close

Accept-Ranges: bytes

Last-Modified: Wed, 21 Feb 2018 15:20:13 GMT

Content-length: 429

in slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.531220 IP (tos 0x0, ttl 64, id 55723, offset 0, flags [DF], proto TCP (6), length 469)

10.102.0.26.80 > 10.102.0.10.54871: Flags [FP.], cksum 0x3ba4 (correct), seq 190:619, ack 436, win 5360, length 429: HTTP in slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.531231 IP (tos 0x0, ttl 255, id 48666, offset 0, flags [DF], proto TCP (6), length 40)

10.102.0.10.54871 > 10.102.0.26.80: Flags [.], cksum 0x150a (incorrect -> 0x5473), seq 436, ack 190, win 4239, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.531238 IP (tos 0x0, ttl 255, id 48669, offset 0, flags [DF], proto TCP (6), length 40)

10.102.0.10.54871 > 10.102.0.26.80: Flags [.], cksum 0x150a (incorrect -> 0x5118), seq 436, ack 620, win 4668, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.623604 IP (tos 0x0, ttl 255, id 48673, offset 0, flags [DF], proto TCP (6), length 40)

10.102.0.10.54871 > 10.102.0.26.80: Flags [F.], cksum 0x150a (incorrect -> 0x5117), seq 436, ack 620, win 4668, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

17:53:41.624147 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)

10.102.0.26.80 > 10.102.0.10.54871: Flags [.], cksum 0x4e63 (correct), seq 620, ack 437, win 5360, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

13 packets captured

13 packets received by filter

0 packets dropped by kernel

Client tries to connect to port 80 when the VS is set to port 443 - this produces a repeated SYN [S] from the client and a RESET ACK [R.] from the F5 - See below

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -r /var/tmp/external_80_should_be_4432018-02-28_20\:57\:28.bin

reading from file /var/tmp/external_80_should_be_4432018-02-28_20:57:28.bin, link-type EN10MB (Ethernet)

20:57:28.112772 00:00:00:00:00:00 (oui Ethernet) > 00:00:00:00:00:00 (oui Ethernet), ethertype Unknown (0x05ff), length 244:

0x0000: 4635 2d50 7365 7564 6f2d 706b 7400 434d F5-Pseudo-pkt.CM

0x0010: 443a 2074 6370 6475 6d70 202d 6920 766c D:.tcpdump.-i.vl

0x0020: 3531 202d 7676 7620 2d6e 6e6e 202d 7330 51.-vvv.-nnn.-s0

0x0030: 202d 7020 2d77 202f 7661 722f 746d 702f .-p.-w./var/tmp/

0x0040: 6578 7465 726e 616c 5f38 305f 7368 6f75 external_80_shou

0x0050: 6c64 5f62 655f 3434 3332 3031 382d 3032 ld_be_4432018-02

0x0060: 2d32 385f 3230 3a35 373a 3238 2e62 696e -28_20:57:28.bin

0x0070: 2068 6f73 7420 3139 322e 3136 382e 3130 .host.192.168.10

0x0080: 302e 3232 0056 4552 3a20 3132 2e31 2e33 0.22.VER:.12.1.3

0x0090: 2e31 2030 2e30 2e39 0048 4f53 543a 206c .1.0.0.9.HOST:.l

0x00a0: 746d 2d74 312d 312d 6463 322e 6d67 6d74 tm-t1-1-dc2.mgmt

0x00b0: 2e66 756c 6c70 726f 7879 2d6c 6162 732e .fullproxy-labs.

0x00c0: 636f 2e75 6b00 504c 4154 3a20 5a31 3030 co.uk.PLAT:.Z100

0x00d0: 0050 524f 443a 2042 4947 2d49 5000 5345 .PROD:.BIG-IP.SE

0x00e0: 5353 3a20 3000 SS:.0.

20:57:35.166451 IP 192.168.100.22.63144 > 10.212.0.26.http: Flags [S], seq 3768668688, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

20:57:35.166486 IP 10.212.0.26.http > 192.168.100.22.63144: Flags [R.], seq 0, ack 3768668689, win 0, length 0 out slot1/tmm0 lis=

20:57:35.417458 IP 192.168.100.22.63145 > 10.212.0.26.http: Flags [S], seq 725762412, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

20:57:35.417483 IP 10.212.0.26.http > 192.168.100.22.63145: Flags [R.], seq 0, ack 725762413, win 0, length 0 out slot1/tmm1 lis=

20:57:35.707186 IP 192.168.100.22.63144 > 10.212.0.26.http: Flags [S], seq 3768668688, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

20:57:35.707209 IP 10.212.0.26.http > 192.168.100.22.63144: Flags [R.], seq 0, ack 1, win 0, length 0 out slot1/tmm0 lis=

20:57:35.958859 IP 192.168.100.22.63145 > 10.212.0.26.http: Flags [S], seq 725762412, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

20:57:35.958881 IP 10.212.0.26.http > 192.168.100.22.63145: Flags [R.], seq 0, ack 1, win 0, length 0 out slot1/tmm1 lis=

20:57:36.247422 IP 192.168.100.22.63144 > 10.212.0.26.http: Flags [S], seq 3768668688, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

20:57:36.247466 IP 10.212.0.26.http > 192.168.100.22.63144: Flags [R.], seq 0, ack 1, win 0, length 0 out slot1/tmm0 lis=

20:57:36.501120 IP 192.168.100.22.63145 > 10.212.0.26.http: Flags [S], seq 725762412, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

20:57:36.501158 IP 10.212.0.26.http > 192.168.100.22.63145: Flags [R.], seq 0, ack 1, win 0, length 0 out slot1/tmm1 lis=

Client tries to connect to port 443 when the VS is set to port 443 but with no SSL profile - this produces a conversation with minimal traffic - See below - Followed by an ssldump of the same connection showing the client hello followed by nothing as the VS has no client ssl profile.

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -r /var/tmp/external_443_without_Client-ssl_2018-02-28_21\:55\:15.bin

reading from file /var/tmp/external_443_without_Client-ssl_2018-02-28_21:55:15.bin, link-type EN10MB (Ethernet)

21:55:15.487030 00:00:00:00:00:00 (oui Ethernet) > 00:00:00:00:00:00 (oui Ethernet), ethertype Unknown (0x05ff), length 251:

0x0000: 4635 2d50 7365 7564 6f2d 706b 7400 434d F5-Pseudo-pkt.CM

0x0010: 443a 2074 6370 6475 6d70 202d 6920 766c D:.tcpdump.-i.vl

0x0020: 3531 202d 7676 7620 2d6e 6e6e 202d 7330 51.-vvv.-nnn.-s0

0x0030: 202d 7020 2d77 202f 7661 722f 746d 702f .-p.-w./var/tmp/

0x0040: 6578 7465 726e 616c 5f34 3433 5f77 6974 external_443_wit

0x0050: 686f 7574 5f43 6c69 656e 742d 7373 6c5f hout_Client-ssl_

0x0060: 3230 3138 2d30 322d 3238 5f32 313a 3535 2018-02-28_21:55

0x0070: 3a31 352e 6269 6e20 686f 7374 2031 3932 :15.bin.host.192

0x0080: 2e31 3638 2e31 3130 2e31 3200 5645 523a .168.110.12.VER:

0x0090: 2031 322e 312e 332e 3120 302e 302e 3900 .12.1.3.1.0.0.9.

0x00a0: 484f 5354 3a20 6c74 6d2d 7431 2d31 2d64 HOST:.ltm-t1-1-d

0x00b0: 6332 2e6d 676d 742e 6675 6c6c 7072 6f78 c2.mgmt.fullprox

0x00c0: 792d 6c61 6273 2e63 6f2e 756b 0050 4c41 y-labs.co.uk.PLA

0x00d0: 543a 205a 3130 3000 5052 4f44 3a20 4249 T:.Z100.PROD:.BI

0x00e0: 472d 4950 0053 4553 533a 2030 00 G-IP.SESS:.0.

21:55:19.586307 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags [S], seq 526468216, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

21:55:19.586345 IP 10.212.0.26.https > 192.168.110.12.55465: Flags [S.], seq 4095559000, ack 526468217, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:19.627656 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:19.627815 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags P.], seq 1:169, ack 1, win 64240, length 168 in slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:19.627826 IP 10.212.0.26.https > 192.168.110.12.55465: Flags [.], ack 169, win 4218, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:29.669054 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags [.], seq 168:169, ack 1, win 64240, length 1 in slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:29.669066 IP 10.212.0.26.https > 192.168.110.12.55465: Flags [.], ack 169, win 4218, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:39.711098 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags [.], seq 168:169, ack 1, win 64240, length 1 in slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:39.711110 IP 10.212.0.26.https > 192.168.110.12.55465: Flags [.], ack 169, win 4218, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:49.751761 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags [.], seq 168:169, ack 1, win 64240, length 1 in slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:49.751773 IP 10.212.0.26.https > 192.168.110.12.55465: Flags [.], ack 169, win 4218, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:58.585769 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags [F.], seq 169, ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:58.585786 IP 10.212.0.26.https > 192.168.110.12.55465: Flags [.], ack 170, win 4218, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:58.585790 IP 10.212.0.26.https > 192.168.110.12.55465: Flags [F.], seq 1, ack 170, win 4218, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

21:55:58.627333 IP 192.168.110.12.55465 > 10.212.0.26.https: Flags [.], ack 2, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

SSLDUMP

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # ssldump -AedH -i vl51 host 192.168.110.12

New TCP connection #1: 192.168.110.12(55555) <-> 10.212.0.26(443)

1 1 1519855921.8432 (0.0427) C>SV3.1(163) Handshake

ClientHello

Version 3.3

random[32]=

06 e1 0c c9 16 05 3a a2 43 ac c0 4a c0 65 4b 82

d4 45 06 df 52 da 8d 3f 90 6f 91 44 bf 46 9d 72

cipher suites

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

Client tries to connect to port 443 again once the SSL profile has been applied - this produces a conversation with a lot more data as the webpage is now being served and recieved - See below - Followed by an ssldump of the same connection showing a full ssl handshake followed by encrypted application data.

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -r /var/tmp/external_443_SSLprofile_applied_2018-03-01_11\:43\:51.bin

reading from file /var/tmp/external_443_SSLprofile_applied_2018-03-01_11:43:51.bin, link-type EN10MB (Ethernet)

11:43:51.978072 00:00:00:00:00:00 (oui Ethernet) > 00:00:00:00:00:00 (oui Ethernet), ethertype Unknown (0x05ff), length 234:

0x0000: 4635 2d50 7365 7564 6f2d 706b 7400 434d F5-Pseudo-pkt.CM

0x0010: 443a 2074 6370 6475 6d70 202d 6920 766c D:.tcpdump.-i.vl

0x0020: 3531 202d 7720 2f76 6172 2f74 6d70 2f65 51.-w./var/tmp/e

0x0030: 7874 6572 6e61 6c5f 3434 335f 5353 4c70 xternal_443_SSLp

0x0040: 726f 6669 6c65 5f61 7070 6c69 6564 5f32 rofile_applied_2

0x0050: 3031 382d 3033 2d30 315f 3131 3a34 333a 018-03-01_11:43:

0x0060: 3531 2e62 696e 2068 6f73 7420 3139 322e 51.bin.host.192.

0x0070: 3136 382e 3130 302e 3232 0056 4552 3a20 168.100.22.VER:.

0x0080: 3132 2e31 2e33 2e31 2030 2e30 2e39 0048 12.1.3.1.0.0.9.H

0x0090: 4f53 543a 206c 746d 2d74 312d 312d 6463 OST:.ltm-t1-1-dc

0x00a0: 322e 6d67 6d74 2e66 756c 6c70 726f 7879 2.mgmt.fullproxy

0x00b0: 2d6c 6162 732e 636f 2e75 6b00 504c 4154 -labs.co.uk.PLAT

0x00c0: 3a20 5a31 3030 0050 524f 443a 2042 4947 :.Z100.PROD:.BIG

0x00d0: 2d49 5000 5345 5353 3a20 3000 -IP.SESS:.0.

11:44:18.659827 IP 192.168.100.22.50795 > 10.212.0.26.https: Flags [S], seq 2173373102, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

11:44:18.659866 IP 10.212.0.26.https > 192.168.100.22.50795: Flags [S.], seq 1052002990, ack 2173373103, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.700507 IP 192.168.100.22.50795 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.701331 IP 192.168.100.22.50795 > 10.212.0.26.https: Flags [P.], seq 1:180, ack 1, win 64240, length 179 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.704968 IP 10.212.0.26.https > 192.168.100.22.50795: Flags [P.], seq 1:1057, ack 180, win 4050, length 1056 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.750412 IP 192.168.100.22.50795 > 10.212.0.26.https: Flags [P.], seq 180:498, ack 1057, win 64800, length 318 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.750433 IP 10.212.0.26.https > 192.168.100.22.50795: Flags [.], ack 498, win 4547, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.753297 IP 10.212.0.26.https > 192.168.100.22.50795: Flags [P.], seq 1057:1063, ack 498, win 4547, length 6 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.753304 IP 10.212.0.26.https > 192.168.100.22.50795: Flags [P.], seq 1063:1108, ack 498, win 4547, length 45 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.794241 IP 192.168.100.22.50795 > 10.212.0.26.https: Flags [.], ack 1108, win 64749, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.796563 IP 192.168.100.22.50795 > 10.212.0.26.https: Flags [F.], seq 498, ack 1108, win 64749, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.796576 IP 10.212.0.26.https > 192.168.100.22.50795: Flags [.], ack 499, win 4547, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.796578 IP 10.212.0.26.https > 192.168.100.22.50795: Flags [F.], seq 1108, ack 499, win 4547, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:18.838623 IP 192.168.100.22.50795 > 10.212.0.26.https: Flags [.], ack 1109, win 64749, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.625407 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [S], seq 2665896139, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

11:44:21.625507 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [S.], seq 1649784331, ack 2665896140, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.666772 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.667215 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [P.], seq 1:180, ack 1, win 64240, length 179 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.669904 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [P.], seq 1:1057, ack 180, win 4050, length 1056 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.715332 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [P.], seq 180:498, ack 1057, win 64800, length 318 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.715369 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [.], ack 498, win 4547, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.718202 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [P.], seq 1057:1063, ack 498, win 4547, length 6 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.718209 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [P.], seq 1063:1108, ack 498, win 4547, length 45 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.759350 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [.], ack 1108, win 64749, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.760603 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [P.], seq 498:949, ack 1108, win 64749, length 451 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.760610 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [.], ack 949, win 4998, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.765205 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [P.], seq 1108:1755, ack 949, win 4998, length 647 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.765210 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [F.], seq 1755, ack 949, win 4998, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.806707 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [.], ack 1108, win 64749, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.807603 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [.], ack 1756, win 64102, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.814426 IP 192.168.100.22.50796 > 10.212.0.26.https: Flags [F.], seq 949, ack 1756, win 64102, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.814437 IP 10.212.0.26.https > 192.168.100.22.50796: Flags [.], ack 950, win 4998, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.844007 IP 192.168.100.22.50797 > 10.212.0.26.https: Flags [S], seq 3461653776, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

11:44:21.844032 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [S.], seq 3059995708, ack 3461653777, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.885414 IP 192.168.100.22.50797 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.885817 IP 192.168.100.22.50797 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.885839 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [.], ack 212, win 4261, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.886898 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [P.], seq 1:93, ack 212, win 4261, length 92 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.887926 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.928420 IP 192.168.100.22.50797 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.928594 IP 192.168.100.22.50797 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.928600 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [.], ack 263, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.928629 IP 192.168.100.22.50797 > 10.212.0.26.https: Flags [F.], seq 263, ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.928643 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.929673 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.929683 IP 10.212.0.26.https > 192.168.100.22.50797: Flags [F.], seq 138, ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.930966 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [S], seq 4069631451, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

11:44:21.931010 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [S.], seq 2885903674, ack 4069631452, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.970058 IP 192.168.100.22.50797 > 10.212.0.26.https: Flags [.], ack 139, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:21.972058 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.972521 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.972565 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 1:93, ack 212, win 4050, length 92 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:21.973588 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.014671 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.014850 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.014858 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.014981 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.014994 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [P.], seq 263:656, ack 138, win 64103, length 393 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.015004 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [.], ack 656, win 4705, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.020772 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 138:1708, ack 656, win 4705, length 1570 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.022851 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 1708:3087, ack 656, win 4705, length 1379 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.026020 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 3087:4466, ack 656, win 4705, length 1379 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.028085 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 4466:4479, ack 656, win 4705, length 13 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.029229 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 4479:4656, ack 656, win 4705, length 177 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.064502 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 1708, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.067665 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 3087, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.073240 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 4656, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.073256 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 4656:7237, ack 656, win 4705, length 2581 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.073259 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 7237:9995, ack 656, win 4705, length 2758 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.073262 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 9995:12753, ack 656, win 4705, length 2758 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.120668 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 7237, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.120674 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 12753:18240, ack 656, win 4705, length 5487 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.124323 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 9995, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.124328 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 18240:22348, ack 656, win 4705, length 4108 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.128117 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 11345, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.128122 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 22348:25077, ack 656, win 4705, length 2729 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.130173 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 12753, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.130178 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 25077:29800, ack 656, win 4705, length 4723 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.167549 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 15453, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.167555 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [P.], seq 29800:33710, ack 656, win 4705, length 3910 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.167563 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [F.], seq 33710, ack 656, win 4705, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.172328 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 18240, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.175747 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 19590, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.181214 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 22348, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.182522 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 23698, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.185282 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 25077, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.191449 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 27777, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.194209 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 29800, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.215154 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 32500, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.215974 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 32500, win 64800, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.217459 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [.], ack 33711, win 63590, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.218504 IP 192.168.100.22.50798 > 10.212.0.26.https: Flags [F.], seq 656, ack 33711, win 63590, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.218512 IP 10.212.0.26.https > 192.168.100.22.50798: Flags [.], ack 657, win 4705, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.302217 IP 192.168.100.22.50801 > 10.212.0.26.https: Flags [S], seq 1239287547, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

11:44:22.302246 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [S.], seq 624260181, ack 1239287548, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.342595 IP 192.168.100.22.50801 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.343697 IP 192.168.100.22.50801 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.343716 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [.], ack 212, win 4261, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.344784 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [P.], seq 1:93, ack 212, win 4261, length 92 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.345826 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.386048 IP 192.168.100.22.50801 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.386661 IP 192.168.100.22.50801 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.386669 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [.], ack 263, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.386874 IP 192.168.100.22.50801 > 10.212.0.26.https: Flags [F.], seq 263, ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.386886 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.387919 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.387931 IP 10.212.0.26.https > 192.168.100.22.50801: Flags [F.], seq 138, ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.390118 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [S], seq 527761147, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

11:44:22.390166 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [S.], seq 1145275000, ack 527761148, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.428843 IP 192.168.100.22.50801 > 10.212.0.26.https: Flags [.], ack 139, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

11:44:22.431307 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.431742 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.431783 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [P.], seq 1:93, ack 212, win 4050, length 92 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.432806 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.477357 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.477413 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.477423 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.478476 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.478581 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [P.], seq 263:654, ack 138, win 64103, length 391 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.478588 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [.], ack 654, win 4703, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.484275 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [P.], seq 138:398, ack 654, win 4703, length 260 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.484278 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [F.], seq 398, ack 654, win 4703, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.525381 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [.], ack 399, win 63843, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.528754 IP 192.168.100.22.50802 > 10.212.0.26.https: Flags [F.], seq 654, ack 399, win 63843, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

11:44:22.528763 IP 10.212.0.26.https > 192.168.100.22.50802: Flags [.], ack 655, win 4703, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

SSLDUMP

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # ssldump -AedH -i vl51 host 192.168.100.22

New TCP connection #1: 192.168.100.22(50813) <-> 10.212.0.26(443)

1 1 1519904858.3651 (0.0413) C>SV3.1(174) Handshake

ClientHello

Version 3.3

random[32]=

6e 8b bd 2d 09 25 17 1e d5 6f 50 b0 76 dc de e4

44 30 52 6c 22 b0 ff 20 b6 bc da 97 69 54 41 40

cipher suites

Unknown value 0x6a6a

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

1 2 1519904858.3652 (0.0000) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

ce 56 7a 24 dc 45 63 0d 3a 66 33 24 57 ac c4 c0

ec 33 43 4b 0a c4 08 9b 74 76 a5 65 2a 16 3d d8

session_id[32]=

20 ff 53 89 55 a3 a6 cc c9 86 3b 51 7c ab 0e 15

4e 5e e1 3d 98 e2 b5 79 72 61 9d bb cc bb de a5

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

1 3 1519904858.3652 (0.0000) S>CV3.3(956) Handshake

Certificate

1 4 1519904858.3652 (0.0000) S>CV3.3(4) Handshake

ServerHelloDone

1 5 1519904858.4139 (0.0487) C>SV3.3(262) Handshake

ClientKeyExchange

1 6 1519904858.4139 (0.0000) C>SV3.3(1) ChangeCipherSpec

1 7 1519904858.4139 (0.0000) C>SV3.3(40) Handshake

1 8 1519904858.4163 (0.0023) S>CV3.3(1) ChangeCipherSpec

1 9 1519904858.4163 (0.0000) S>CV3.3(40) Handshake

1 1519904858.4577 (0.0413) C>S TCP FIN

1 1519904858.4577 (0.0000) S>C TCP FIN

New TCP connection #2: 192.168.100.22(50814) <-> 10.212.0.26(443)

2 1 1519904858.5034 (0.0422) C>SV3.1(174) Handshake

ClientHello

Version 3.3

random[32]=

6f 4f ed 9e 9d 0a db dc 2d 62 e2 fd 8b 71 ea 3d

d7 43 0c 13 b2 ee 14 0c 25 b1 13 5e fb 6b 01 fb

cipher suites

Unknown value 0x6a6a

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

2 2 1519904858.5034 (0.0000) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

27 ae 3c 36 29 18 9c 06 c4 4e 34 8f 54 55 5d 98

99 20 38 e0 a8 d6 48 3b 47 70 40 31 b1 0c 24 3e

session_id[32]=

5b fe 44 e0 be 12 48 15 63 67 8c 88 47 fa 11 3d

ea ad 91 d9 b0 81 9d 8d 19 c0 8a 82 57 ca a1 8c

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

2 3 1519904858.5034 (0.0000) S>CV3.3(956) Handshake

Certificate

2 4 1519904858.5034 (0.0000) S>CV3.3(4) Handshake

ServerHelloDone

2 5 1519904858.5484 (0.0449) C>SV3.3(262) Handshake

ClientKeyExchange

2 6 1519904858.5484 (0.0000) C>SV3.3(1) ChangeCipherSpec

2 7 1519904858.5484 (0.0000) C>SV3.3(40) Handshake

2 8 1519904858.5508 (0.0023) S>CV3.3(1) ChangeCipherSpec

2 9 1519904858.5508 (0.0000) S>CV3.3(40) Handshake

2 10 1519904858.5928 (0.0420) C>SV3.3(420) application_data

2 11 1519904858.5986 (0.0057) S>CV3.3(642) application_data

2 1519904858.5986 (0.0000) S>C TCP FIN

2 1519904858.6425 (0.0439) C>S TCP FIN

New TCP connection #3: 192.168.100.22(50815) <-> 10.212.0.26(443)

3 1 1519904858.7176 (0.0504) C>SV3.1(206) Handshake

ClientHello

Version 3.3

random[32]=

91 ea 5e 27 33 22 81 db 8a c1 44 ba b1 35 5d 46

e3 2c 9c 45 13 f7 7c 17 e8 70 d4 72 fa f1 a8 ab

resume [32]=

5b fe 44 e0 be 12 48 15 63 67 8c 88 47 fa 11 3d

ea ad 91 d9 b0 81 9d 8d 19 c0 8a 82 57 ca a1 8c

cipher suites

Unknown value 0x9a9a

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

3 2 1519904858.7187 (0.0010) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

a3 7f 41 59 73 24 83 2e 60 38 a7 ad b1 ff 73 d7

dd 8f 06 a3 60 6a a0 3e 63 6d d2 26 13 34 d2 21

session_id[32]=

5b fe 44 e0 be 12 48 15 63 67 8c 88 47 fa 11 3d

ea ad 91 d9 b0 81 9d 8d 19 c0 8a 82 57 ca a1 8c

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

3 3 1519904858.7187 (0.0000) S>CV3.3(1) ChangeCipherSpec

3 4 1519904858.7198 (0.0010) S>CV3.3(40) Handshake

3 5 1519904858.7635 (0.0437) C>SV3.3(1) ChangeCipherSpec

3 6 1519904858.7635 (0.0000) C>SV3.3(40) Handshake

3 1519904858.7637 (0.0001) C>S TCP FIN

3 1519904858.7647 (0.0010) S>C TCP FIN

New TCP connection #4: 192.168.100.22(50816) <-> 10.212.0.26(443)

4 1 1519904858.8094 (0.0433) C>SV3.1(206) Handshake

ClientHello

Version 3.3

random[32]=

e1 a2 46 14 ee 43 4e 01 ab d0 7c c3 ca c0 77 e5

72 09 8a 29 51 85 c1 4a 96 79 70 c9 7b be 62 c0

resume [32]=

5b fe 44 e0 be 12 48 15 63 67 8c 88 47 fa 11 3d

ea ad 91 d9 b0 81 9d 8d 19 c0 8a 82 57 ca a1 8c

cipher suites

Unknown value 0xeaea

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

4 2 1519904858.8094 (0.0000) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

a5 72 d9 3c 15 d4 f0 66 5b 33 6c 7b 69 e0 45 3a

78 2c a7 3d 7c 78 7d 42 0e ed 7f ad b7 03 2d d0

session_id[32]=

5b fe 44 e0 be 12 48 15 63 67 8c 88 47 fa 11 3d

ea ad 91 d9 b0 81 9d 8d 19 c0 8a 82 57 ca a1 8c

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

4 3 1519904858.8094 (0.0000) S>CV3.3(1) ChangeCipherSpec

4 4 1519904858.8104 (0.0010) S>CV3.3(40) Handshake

4 5 1519904858.8515 (0.0410) C>SV3.3(1) ChangeCipherSpec

4 6 1519904858.8515 (0.0000) C>SV3.3(40) Handshake

4 7 1519904858.8525 (0.0010) C>SV3.3(388) application_data

4 8 1519904858.8589 (0.0064) S>CV3.3(1565) application_data

4 9 1519904858.8610 (0.0020) S>CV3.3(1374) application_data

4 10 1519904858.8642 (0.0031) S>CV3.3(1374) application_data

4 11 1519904858.8662 (0.0020) S>CV3.3(1374) application_data

4 12 1519904858.8684 (0.0021) S>CV3.3(1374) application_data

4 13 1519904858.8705 (0.0020) S>CV3.3(1374) application_data

4 14 1519904858.8727 (0.0021) S>CV3.3(1374) application_data

4 15 1519904858.8747 (0.0020) S>CV3.3(1374) application_data

4 16 1519904858.8779 (0.0031) S>CV3.3(1374) application_data

4 17 1519904858.8800 (0.0021) S>CV3.3(1374) application_data

4 18 1519904858.8842 (0.0041) S>CV3.3(2724) application_data

4 19 1519904858.8863 (0.0021) S>CV3.3(1374) application_data

4 20 1519904858.9103 (0.0240) S>CV3.3(2724) application_data

4 21 1519904858.9103 (0.0000) S>CV3.3(1374) application_data

4 22 1519904858.9114 (0.0010) S>CV3.3(2724) application_data

4 23 1519904858.9114 (0.0000) S>CV3.3(2724) application_data

4 24 1519904858.9126 (0.0011) S>CV3.3(2724) application_data

4 25 1519904858.9157 (0.0031) S>CV3.3(2724) application_data

4 26 1519904858.9206 (0.0049) S>CV3.3(454) application_data

4 1519904858.9207 (0.0000) S>C TCP FIN

4 1519904858.9805 (0.0598) C>S TCP FIN

Client tries to connect to port 443 again once the SSL profile has been applied to both client and server side (web server still running on port 80). this produces a conversation with little data being send - See below - Followed by an ssldump of the same connection showing a full ssl handshake followed by a reset as no data has been sent. - next the lets check the internal side

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -r /var/tmp/external_12018-03-01_12\:35\:15.bin

reading from file /var/tmp/external_12018-03-01_12:35:15.bin, link-type EN10MB (Ethernet)

12:35:15.833031 00:00:00:00:00:00 (oui Ethernet) > 00:00:00:00:00:00 (oui Ethernet), ethertype Unknown (0x05ff), length 242:

0x0000: 4635 2d50 7365 7564 6f2d 706b 7400 434d F5-Pseudo-pkt.CM

0x0010: 443a 2074 6370 6475 6d70 202d 6920 766c D:.tcpdump.-i.vl

0x0020: 3531 202d 6e6e 6e20 2d73 3020 2d76 7676 51.-nnn.-s0.-vvv

0x0030: 202d 7720 2f76 6172 2f74 6d70 2f65 7874 .-w./var/tmp/ext

0x0040: 6572 6e61 6c5f 3132 3031 382d 3033 2d30 ernal_12018-03-0

0x0050: 315f 3132 3a33 353a 3135 2e62 696e 2068 1_12:35:15.bin.h

0x0060: 6f73 7420 3139 322e 3136 382e 3130 302e ost.192.168.100.

0x0070: 3232 2061 6e64 2031 302e 3231 322e 302e 22.and.10.212.0.

0x0080: 3236 0056 4552 3a20 3132 2e31 2e33 2e31 26.VER:.12.1.3.1

0x0090: 2030 2e30 2e39 0048 4f53 543a 206c 746d .0.0.9.HOST:.ltm

0x00a0: 2d74 312d 312d 6463 322e 6d67 6d74 2e66 -t1-1-dc2.mgmt.f

0x00b0: 756c 6c70 726f 7879 2d6c 6162 732e 636f ullproxy-labs.co

0x00c0: 2e75 6b00 504c 4154 3a20 5a31 3030 0050 .uk.PLAT:.Z100.P

0x00d0: 524f 443a 2042 4947 2d49 5000 5345 5353 ROD:.BIG-IP.SESS

0x00e0: 3a20 3000 :.0.

12:35:18.384754 IP 192.168.100.22.51091 > 10.212.0.26.https: Flags [S], seq 2907513654, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

12:35:18.384819 IP 10.212.0.26.https > 192.168.100.22.51091: Flags [S.], seq 269310390, ack 2907513655, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.426137 IP 192.168.100.22.51091 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.427212 IP 192.168.100.22.51091 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.427322 IP 10.212.0.26.https > 192.168.100.22.51091: Flags [P.], seq 1:93, ack 212, win 4050, length 92 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.428369 IP 10.212.0.26.https > 192.168.100.22.51091: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.469259 IP 192.168.100.22.51091 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.469705 IP 192.168.100.22.51091 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.469713 IP 10.212.0.26.https > 192.168.100.22.51091: Flags [.], ack 263, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.469741 IP 192.168.100.22.51091 > 10.212.0.26.https: Flags [F.], seq 263, ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.469755 IP 10.212.0.26.https > 192.168.100.22.51091: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.470794 IP 10.212.0.26.https > 192.168.100.22.51091: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.470807 IP 10.212.0.26.https > 192.168.100.22.51091: Flags [F.], seq 138, ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.471570 IP 192.168.100.22.51092 > 10.212.0.26.https: Flags [S], seq 1493786258, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

12:35:18.471598 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [S.], seq 3274282386, ack 1493786259, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.512306 IP 192.168.100.22.51091 > 10.212.0.26.https: Flags [.], ack 139, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.513446 IP 192.168.100.22.51092 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.513909 IP 192.168.100.22.51092 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.513925 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [.], ack 212, win 4261, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.514997 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [P.], seq 1:93, ack 212, win 4261, length 92 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.516033 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.556428 IP 192.168.100.22.51092 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.556896 IP 192.168.100.22.51092 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.556904 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.557726 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.557745 IP 192.168.100.22.51092 > 10.212.0.26.https: Flags [P.], seq 263:688, ack 138, win 64103, length 425 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.557763 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [.], ack 688, win 4737, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.560413 IP 10.212.0.26.https > 192.168.100.22.51092: Flags [R.], seq 138, ack 688, win 0, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.711438 IP 192.168.100.22.51093 > 10.212.0.26.https: Flags [S], seq 564701516, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

12:35:18.711487 IP 10.212.0.26.https > 192.168.100.22.51093: Flags [S.], seq 3707234989, ack 564701517, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.752134 IP 192.168.100.22.51093 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.752806 IP 192.168.100.22.51093 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.752856 IP 10.212.0.26.https > 192.168.100.22.51093: Flags [P.], seq 1:93, ack 212, win 4050, length 92 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.753887 IP 10.212.0.26.https > 192.168.100.22.51093: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.795159 IP 192.168.100.22.51093 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.795335 IP 192.168.100.22.51093 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.795343 IP 10.212.0.26.https > 192.168.100.22.51093: Flags [.], ack 263, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.795377 IP 192.168.100.22.51093 > 10.212.0.26.https: Flags [F.], seq 263, ack 138, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.795393 IP 10.212.0.26.https > 192.168.100.22.51093: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.796426 IP 10.212.0.26.https > 192.168.100.22.51093: Flags [.], ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.796438 IP 10.212.0.26.https > 192.168.100.22.51093: Flags [F.], seq 138, ack 264, win 4312, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.797681 IP 192.168.100.22.51094 > 10.212.0.26.https: Flags [S], seq 2722333784, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

12:35:18.797707 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [S.], seq 1276667065, ack 2722333785, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.837247 IP 192.168.100.22.51093 > 10.212.0.26.https: Flags [.], ack 139, win 64103, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:35:18.839021 IP 192.168.100.22.51094 > 10.212.0.26.https: Flags [.], ack 1, win 64240, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.839454 IP 192.168.100.22.51094 > 10.212.0.26.https: Flags [P.], seq 1:212, ack 1, win 64240, length 211 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.839471 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [.], ack 212, win 4261, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.840528 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [P.], seq 1:93, ack 212, win 4261, length 92 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.841567 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [P.], seq 93:138, ack 212, win 4261, length 45 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.882063 IP 192.168.100.22.51094 > 10.212.0.26.https: Flags [.], ack 138, win 64103, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.882513 IP 192.168.100.22.51094 > 10.212.0.26.https: Flags [P.], seq 212:263, ack 138, win 64103, length 51 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.882519 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.883341 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [.], ack 263, win 4312, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.883357 IP 192.168.100.22.51094 > 10.212.0.26.https: Flags [P.], seq 263:714, ack 138, win 64103, length 451 in slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.883373 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [.], ack 714, win 4763, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

12:35:18.885895 IP 10.212.0.26.https > 192.168.100.22.51094: Flags [R.], seq 138, ack 714, win 0, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # ssldump -AedH -i vl51 host 192.168.100.22

New TCP connection #1: 192.168.100.22(51070) <-> 10.212.0.26(443)

1 1 1519907670.1946 (0.0415) C>SV3.1(206) Handshake

ClientHello

Version 3.3

random[32]=

03 62 de 12 86 d3 db aa 54 40 61 d5 03 4d 83 a5

07 8c a8 ce 5b 9f 5f d0 11 69 f4 5e b3 a9 44 3f

resume [32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipher suites

Unknown value 0xa0a

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

1 2 1519907670.1957 (0.0011) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

3a c3 8b ba 3e 00 7a 72 ee 5c c2 5b 22 da 42 1f

02 9d 26 26 c4 99 b2 5d 04 05 cf 94 cb b3 c2 54

session_id[32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

1 3 1519907670.1957 (0.0000) S>CV3.3(1) ChangeCipherSpec

1 4 1519907670.1967 (0.0010) S>CV3.3(40) Handshake

1 5 1519907670.2402 (0.0435) C>SV3.3(1) ChangeCipherSpec

1 6 1519907670.2402 (0.0000) C>SV3.3(40) Handshake

1 1519907670.2406 (0.0003) C>S TCP FIN

1 1519907670.2406 (0.0000) S>C TCP FIN

New TCP connection #2: 192.168.100.22(51071) <-> 10.212.0.26(443)

2 1 1519907670.2835 (0.0418) C>SV3.1(206) Handshake

ClientHello

Version 3.3

random[32]=

94 52 95 2a c2 b8 4c d7 c5 e5 2c 5c b2 0a 91 38

2b cb 47 ef 1f e3 f9 25 c4 ba 11 3a 3b 2d 4c 8b

resume [32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipher suites

Unknown value 0x9a9a

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

2 2 1519907670.2836 (0.0000) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

b4 07 84 6a 48 40 3e 56 8c 2e 71 0f a5 46 17 d1

fd 2f fe 03 9e ce 11 a5 74 b9 36 e1 11 02 5c cf

session_id[32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

2 3 1519907670.2836 (0.0000) S>CV3.3(1) ChangeCipherSpec

2 4 1519907670.2842 (0.0005) S>CV3.3(40) Handshake

2 5 1519907670.3254 (0.0412) C>SV3.3(1) ChangeCipherSpec

2 6 1519907670.3254 (0.0000) C>SV3.3(40) Handshake

2 7 1519907670.3260 (0.0006) C>SV3.3(420) application_data

2 1519907670.3287 (0.0026) S>C TCP RST

New TCP connection #3: 192.168.100.22(51072) <-> 10.212.0.26(443)

3 1 1519907670.5215 (0.0415) C>SV3.1(206) Handshake

ClientHello

Version 3.3

random[32]=

4f 8e cd 0a aa 7a 92 24 47 0b 5b 06 53 60 0c 32

9f 2c 1f a6 e1 30 7e c1 97 27 86 3b 77 f9 93 69

resume [32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipher suites

Unknown value 0x4a4a

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

3 2 1519907670.5226 (0.0010) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

a3 0e 13 4a cf 5d 9e 80 5e 3b 22 32 2a 45 8c 08

d3 2e 67 51 ea 9b 1d 74 65 5f 6b b0 a4 3b 0e 05

session_id[32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

3 3 1519907670.5226 (0.0000) S>CV3.3(1) ChangeCipherSpec

3 4 1519907670.5237 (0.0010) S>CV3.3(40) Handshake

3 5 1519907670.5672 (0.0435) C>SV3.3(1) ChangeCipherSpec

3 6 1519907670.5672 (0.0000) C>SV3.3(40) Handshake

3 1519907670.5677 (0.0004) C>S TCP FIN

3 1519907670.5688 (0.0010) S>C TCP FIN

New TCP connection #4: 192.168.100.22(51073) <-> 10.212.0.26(443)

4 1 1519907670.6111 (0.0423) C>SV3.1(206) Handshake

ClientHello

Version 3.3

random[32]=

7a ca 0d 48 0e 24 10 df 73 38 b9 89 e6 dd 10 fc

1c 4e f3 1a 68 b2 97 16 17 f3 6c ce d4 82 ea b7

resume [32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipher suites

Unknown value 0x7a7a

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unknown value 0xcca9

Unknown value 0xcca8

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

4 2 1519907670.6111 (0.0000) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

5e 09 e8 b7 09 dd 55 0e 63 3f 76 74 ae b0 1d 0d

64 00 29 a3 25 71 99 2e 1b 3b 33 cf 63 c5 b3 0f

session_id[32]=

04 93 d6 3c 78 76 6a c1 2c 9b 3c 85 20 ff 52 89

15 f2 65 e9 f7 d6 f9 75 36 54 99 4f 70 0f 22 19

cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

4 3 1519907670.6111 (0.0000) S>CV3.3(1) ChangeCipherSpec

4 4 1519907670.6122 (0.0010) S>CV3.3(40) Handshake

4 5 1519907670.6531 (0.0409) C>SV3.3(1) ChangeCipherSpec

4 6 1519907670.6531 (0.0000) C>SV3.3(40) Handshake

4 7 1519907670.6540 (0.0009) C>SV3.3(446) application_data

4 1519907670.6570 (0.0030) S>C TCP RST

Client tries to connect to port 443 again once the SSL profile has been applied to both client and server side (web server still running on port 80). this produces a short conversation ending with a reset, signaling an error - See below - Followed by an ssldump of the same connection showing failure as the client (the F5) is trying to start and ssl handshake with a server on port 80 (unencrypted)

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -r /var/tmp/internal_12018-03-01_12\:48\:57.bin

reading from file /var/tmp/internal_12018-03-01_12:48:57.bin, link-type EN10MB (Ethernet)

12:48:57.173959 00:00:00:00:00:00 (oui Ethernet) > 00:00:00:00:00:00 (oui Ethernet), ethertype Unknown (0x05ff), length 241:

0x0000: 4635 2d50 7365 7564 6f2d 706b 7400 434d F5-Pseudo-pkt.CM

0x0010: 443a 2074 6370 6475 6d70 202d 6920 766c D:.tcpdump.-i.vl

0x0020: 3231 3032 202d 6e6e 6e20 2d73 3020 2d76 2102.-nnn.-s0.-v

0x0030: 7676 202d 7720 2f76 6172 2f74 6d70 2f69 vv.-w./var/tmp/i

0x0040: 6e74 6572 6e61 6c5f 3132 3031 382d 3033 nternal_12018-03

0x0050: 2d30 315f 3132 3a34 383a 3537 2e62 696e -01_12:48:57.bin

0x0060: 2068 6f73 7420 3130 2e31 3032 2e30 2e31 .host.10.102.0.1

0x0070: 3020 616e 6420 3130 2e31 3032 2e30 2e32 0.and.10.102.0.2

0x0080: 3600 5645 523a 2031 322e 312e 332e 3120 6.VER:.12.1.3.1.

0x0090: 302e 302e 3900 484f 5354 3a20 6c74 6d2d 0.0.9.HOST:.ltm-

0x00a0: 7431 2d31 2d64 6332 2e6d 676d 742e 6675 t1-1-dc2.mgmt.fu

0x00b0: 6c6c 7072 6f78 792d 6c61 6273 2e63 6f2e llproxy-labs.co.

0x00c0: 756b 0050 4c41 543a 205a 3130 3000 5052 uk.PLAT:.Z100.PR

0x00d0: 4f44 3a20 4249 472d 4950 0053 4553 533a OD:.BIG-IP.SESS:

0x00e0: 2030 00 .0.

12:49:35.271751 IP 10.102.0.10.28162 > 10.102.0.26.http: Flags [S], seq 484841221, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.271904 IP 10.102.0.26.http > 10.102.0.10.28162: Flags [S.], seq 1085124411, ack 484841222, win 4380, options [mss 1460,nop,nop,sackOK], length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.271910 IP 10.102.0.10.28162 > 10.102.0.26.http: Flags [.], ack 1, win 4050, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.271919 IP 10.102.0.10.28162 > 10.102.0.26.http: Flags [P.], seq 1:143, ack 1, win 4050, length 142: HTTP out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.273104 IP 10.102.0.26.http > 10.102.0.10.28162: Flags [.], ack 143, win 5360, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.273266 IP 10.102.0.26.http > 10.102.0.10.28162: Flags [P.], seq 1:225, ack 143, win 5360, length 224: HTTP: HTTP/1.0 400 Bad Request in slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.273299 IP 10.102.0.10.28162 > 10.102.0.26.http: Flags [P.], seq 143:150, ack 225, win 4050, length 7: HTTP out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.273319 IP 10.102.0.10.28162 > 10.102.0.26.http: Flags [R.], seq 150, ack 225, win 0, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

12:49:35.274348 IP 10.102.0.26.http > 10.102.0.10.28162: Flags [F.], seq 225, ack 143, win 5360, length 0 in slot1/tmm0 lis=

12:49:35.274389 IP 10.102.0.10.28162 > 10.102.0.26.http: Flags [R.], seq 143, ack 226, win 0, length 0 out slot1/tmm0 lis=

12:49:35.274510 IP 10.102.0.26.http > 10.102.0.10.28162: Flags [R], seq 1085124636, win 0, length 0 in slot1/tmm0 lis=

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # ssldump -AedH -i vl2102 host 10.102.0.10

New TCP connection #1: 10.102.0.10(42606) <-> 10.102.0.26(80)

1 1 1519908883.3629 (0.0001) C>SV3.1(137) Handshake

ClientHello

Version 3.3

random[32]=

55 01 96 b5 03 b1 3c a6 a3 32 0f a2 a8 b6 29 7a

90 65 3c b5 d9 29 da 54 54 cf f5 76 ed 6d 77 35

cipher suites

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

compression methods

NULL

Unknown SSL content type 72

1 2 1519908883.3643 (0.0013) S>CShort record

1 1519908883.3643 (0.0000) S>C TCP FIN

1 3 1519908883.3643 (0.0000) C>SV3.1(2) Alert

level fatal

value handshake_failure

1 1519908883.3643 (0.0000) C>S TCP RST

Client tries to connect to port 443 again, the web server is now running on port 443. This produces a normal conversation - See below - Followed by an ssldump of the same connection showing the client (the F5) establishing a successful ssl handshake with a server on port 443

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -r /var/tmp/internal_42018-03-01_16\:13\:10.bin

reading from file /var/tmp/internal_42018-03-01_16:13:10.bin, link-type EN10MB (Ethernet)

16:13:11.003644 00:00:00:00:00:00 (oui Ethernet) > 00:00:00:00:00:00 (oui Ethernet), ethertype Unknown (0x05ff), length 262:

0x0000: 4635 2d50 7365 7564 6f2d 706b 7400 434d F5-Pseudo-pkt.CM

0x0010: 443a 2074 6370 6475 6d70 202d 6920 766c D:.tcpdump.-i.vl

0x0020: 3231 3032 202d 6e6e 6e20 2d73 3020 2d76 2102.-nnn.-s0.-v

0x0030: 7676 202d 7720 2f76 6172 2f74 6d70 2f69 vv.-w./var/tmp/i

0x0040: 6e74 6572 6e61 6c5f 3432 3031 382d 3033 nternal_42018-03

0x0050: 2d30 315f 3136 3a31 333a 3130 2e62 696e -01_16:13:10.bin

0x0060: 206e 6574 2031 302e 3130 322e 302e 302f .net.10.102.0.0/

0x0070: 3234 2061 6e64 206e 6f74 2068 6f73 7420 24.and.not.host.

0x0080: 3130 2e31 3032 2e30 2e31 2061 6e64 206e 10.102.0.1.and.n

0x0090: 6f74 2061 7270 0056 4552 3a20 3132 2e31 ot.arp.VER:.12.1

0x00a0: 2e33 2e31 2030 2e30 2e39 0048 4f53 543a .3.1.0.0.9.HOST:

0x00b0: 206c 746d 2d74 312d 312d 6463 322e 6d67 .ltm-t1-1-dc2.mg

0x00c0: 6d74 2e66 756c 6c70 726f 7879 2d6c 6162 mt.fullproxy-lab

0x00d0: 732e 636f 2e75 6b00 504c 4154 3a20 5a31 s.co.uk.PLAT:.Z1

0x00e0: 3030 0050 524f 443a 2042 4947 2d49 5000 00.PROD:.BIG-IP.

0x00f0: 5345 5353 3a20 3000 SESS:.0.

16:13:21.166355 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [S], seq 465669175, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.166475 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [S.], seq 256616424, ack 465669176, win 29200, options [mss 1460,nop,nop,sackOK], length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.166482 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [.], ack 1, win 4050, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.166499 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [P.], seq 1:143, ack 1, win 4050, length 142 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.167582 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [.], ack 143, win 30016, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.171861 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [.], seq 1:1351, ack 143, win 30016, length 1350 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.171865 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [P.], seq 1351:1599, ack 143, win 30016, length 248 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.172963 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [.], ack 1599, win 5648, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.182784 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [P.], seq 143:416, ack 1599, win 5648, length 273 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.182822 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [P.], seq 416:461, ack 1599, win 5648, length 45 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.186188 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [.], ack 461, win 31088, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.186191 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [P.], seq 1599:1650, ack 461, win 31088, length 51 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.186197 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [.], ack 1650, win 5699, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.186476 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [.], ack 1650, win 5699, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.186505 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [P.], seq 461:886, ack 1650, win 5699, length 425 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.187052 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [P.], seq 1650:2308, ack 886, win 32160, length 658 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:21.187061 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [.], ack 2308, win 6357, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:26.129438 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [P.], seq 2308:2339, ack 886, win 32160, length 31 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:26.129445 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [F.], seq 2339, ack 886, win 32160, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:26.129462 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [.], ack 2339, win 6388, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:26.129467 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [F.], seq 886, ack 2339, win 6388, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:26.129474 IP 10.102.0.20.53516 > 10.102.0.34.https: Flags [.], ack 2340, win 6388, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

16:13:26.130570 IP 10.102.0.34.https > 10.102.0.20.53516: Flags [.], ack 887, win 32160, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

SSLdump

donald@ltm-t1-1-dc2:Active:Standalone] ~ # ssldump -Aed -i vl2102 net 10.102.0.0/24

New TCP connection #1: 10.102.0.14(53666) <-> 10.102.0.34(443)

1 1 1519921352.3464 (0.0002) C>SV3.1(137) Handshake

ClientHello

Version 3.3

random[32]=

38 d5 85 07 22 41 3f 64 3f ce 23 62 fd 24 10 c7

84 0d 74 a5 f6 3e bf 59 c1 92 7e 09 82 74 55 29

cipher suites

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

compression methods

NULL

1 2 1519921352.3554 (0.0090) S>CV3.3(81) Handshake

ServerHello

Version 3.3

random[32]=

9e f3 c6 fd 39 5c 53 50 6c 18 92 d9 cb 8f 28 98

00 e0 c5 9a 19 33 ce f8 30 99 97 3e 9d 4a 34 03

session_id[32]=

d9 2a 52 bf 6b 77 0d 50 d0 9b c5 30 d1 82 4f 0d

74 92 a6 90 c4 c7 95 4b b1 9a 12 33 ce ae 42 bf

cipherSuite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

compressionMethod NULL

1 3 1519921352.3554 (0.0000) S>CV3.3(710) Handshake

Certificate

1 4 1519921352.3564 (0.0010) S>CV3.3(783) Handshake

ServerKeyExchange

1 5 1519921352.3564 (0.0000) S>CV3.3(4) Handshake

ServerHelloDone

1 6 1519921352.3663 (0.0098) C>SV3.3(262) Handshake

ClientKeyExchange

1 7 1519921352.3663 (0.0000) C>SV3.3(1) ChangeCipherSpec

1 8 1519921352.3663 (0.0000) C>SV3.3(40) Handshake

1 9 1519921352.3735 (0.0071) S>CV3.3(1) ChangeCipherSpec

1 10 1519921352.3735 (0.0000) S>CV3.3(40) Handshake

1 11 1519921352.3745 (0.0010) C>SV3.3(446) application_data

1 12 1519921352.3752 (0.0006) S>CV3.3(361) application_data

1 13 1519921352.3752 (0.0000) S>CV3.3(250) application_data

1 14 1519921352.3752 (0.0000) S>CV3.3(32) application_data

New TCP connection #2: 10.102.0.1(52179) <-> 10.102.0.34(443)

Back to an unencrypted connection external and internal conversation between the PC<-80->F5(snat REMOVED)<-80->WebServer

This show the client 192.168.100.22 talking to the F5 10.212.0.26 then the webserver responding directly back through the F5, as the webserver has a default gateway of the F5 selfIP

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -i 0.0 host 192.168.100.22 -nnn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes

19:57:25.690711 IP 192.168.100.22.56099 > 10.212.0.26.80: Flags [S], seq 1689317203, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm1 lis=

19:57:25.690809 IP 10.212.0.26.80 > 192.168.100.22.56099: Flags [S.], seq 4240572499, ack 1689317204, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.731359 IP 192.168.100.22.56099 > 10.212.0.26.80: Flags [.], ack 1, win 64240, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.731911 IP 192.168.100.22.56099 > 10.212.0.26.80: Flags [P.], seq 1:469, ack 1, win 64240, length 468: HTTP: GET / HTTP/1.1 in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.731940 IP 192.168.100.22.56099 > 10.102.0.26.80: Flags [S], seq 3095608729, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.731943 IP 10.212.0.26.80 > 192.168.100.22.56099: Flags [.], ack 469, win 4518, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.732486 IP 10.102.0.26.80 > 192.168.100.22.56099: Flags [S.], seq 4180300829, ack 3095608730, win 4380, options [mss 1460,nop,nop,sackOK], length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.732492 IP 192.168.100.22.56099 > 10.102.0.26.80: Flags [.], ack 1, win 4050, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.732499 IP 192.168.100.22.56099 > 10.102.0.26.80: Flags [P.], seq 1:469, ack 1, win 4050, length 468: HTTP: GET / HTTP/1.1 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.733029 IP 10.102.0.26.80 > 192.168.100.22.56099: Flags [.], ack 469, win 5360, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.733299 IP 10.102.0.26.80 > 192.168.100.22.56099: Flags [P.], seq 1:190, ack 469, win 5360, length 189: HTTP: HTTP/1.0 200 OK in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.733301 IP 10.102.0.26.80 > 192.168.100.22.56099: Flags [FP.], seq 190:619, ack 469, win 5360, length 429: HTTP in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.733310 IP 192.168.100.22.56099 > 10.102.0.26.80: Flags [.], ack 190, win 4239, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.733313 IP 10.212.0.26.80 > 192.168.100.22.56099: Flags [P.], seq 1:619, ack 469, win 4518, length 618: HTTP: HTTP/1.0 200 OK out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.733317 IP 192.168.100.22.56099 > 10.102.0.26.80: Flags [.], ack 620, win 4668, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.733320 IP 10.212.0.26.80 > 192.168.100.22.56099: Flags [F.], seq 619, ack 469, win 4518, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.778748 IP 192.168.100.22.56099 > 10.212.0.26.80: Flags [.], ack 1, win 64240, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.779529 IP 192.168.100.22.56099 > 10.212.0.26.80: Flags [.], ack 620, win 63622, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.780833 IP 192.168.100.22.56099 > 10.212.0.26.80: Flags [F.], seq 469, ack 620, win 63622, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.780839 IP 10.212.0.26.80 > 192.168.100.22.56099: Flags [.], ack 470, win 4518, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.780842 IP 192.168.100.22.56099 > 10.102.0.26.80: Flags [F.], seq 469, ack 620, win 4668, length 0 out slot1/tmm1 lis=/Common/Slitaz-Redirector

19:57:25.781375 IP 10.102.0.26.80 > 192.168.100.22.56099: Flags [.], ack 470, win 5360, length 0 in slot1/tmm1 lis=/Common/Slitaz-Redirector

Same conversation as above between the PC<-80->F5(snat REMOVED)<-80->WebServer, although this time the server doesn't have a gateway of the F5.

Notice the 3 syn packets coming from the PC, this is the packet from the internal side of the F5 sending a packet to the webserver although it doesn't see the reply as there is no NAT and the webserver doesn't have a default gateway of the F5

[donald@ltm-t1-1-dc2:Active:Standalone] ~ # tcpdump -i 0.0 host 192.168.100.22 -nnn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes

20:15:30.912523 IP 192.168.100.22.56358 > 10.212.0.26.80: Flags [S], seq 4159471861, win 64240, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm0 lis=

20:15:30.912585 IP 10.212.0.26.80 > 192.168.100.22.56358: Flags [S.], seq 4181511221, ack 4159471862, win 4050, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:30.955758 IP 192.168.100.22.56358 > 10.212.0.26.80: Flags [.], ack 1, win 64240, length 0 in slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:30.956317 IP 192.168.100.22.56358 > 10.212.0.26.80: Flags [P.], seq 1:469, ack 1, win 64240, length 468: HTTP: GET / HTTP/1.1 in slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:30.956417 IP 192.168.100.22.56358 > 10.102.0.26.80: Flags [S], seq 748625133, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:30.956427 IP 10.212.0.26.80 > 192.168.100.22.56358: Flags [.], ack 469, win 4518, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:33.956597 IP 192.168.100.22.56358 > 10.102.0.26.80: Flags [S], seq 748625133, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:36.956848 IP 192.168.100.22.56358 > 10.102.0.26.80: Flags [S], seq 748625133, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:39.956761 IP 192.168.100.22.56358 > 10.102.0.26.80: Flags [S], seq 748625133, win 4050, options [mss 1350,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

20:15:42.956867 IP 10.212.0.26.80 > 192.168.100.22.56358: Flags [R.], seq 1, ack 469, win 0, length 0 out slot1/tmm0 lis=/Common/Slitaz-Redirector

F5 cli upgrade

posted 25 Feb 2018, 10:06 by Donald Ross [ updated 3 Apr 2018, 07:52 ]

scp -r BIGIP-12.1.3.1-0.0.9.iso donald@172.16.51.15:/shared/images

tmsh

install sys software image BIGIP-12.1.3.1-0.0.9.iso create-volume volume HD1.3

tmsh show sys software

tailf /var/log/liveinstall.log

bash

switchboot -b HD1.3

tmsh

reboot volume HD1.3

Usefull Linux Commands

posted 30 Jan 2018, 12:41 by Donald Ross

COMMAND	DESCRIPTION
`netstat -tulpn`	Show Linux network ports with process ID’s (PIDs)
`watch ss -stplu`	Watch TCP, UDP open ports in real time with socket summary.
`lsof -i`	Show established connections.
`macchanger -m MACADDR INTR`	Change MAC address on KALI Linux.
`ifconfig eth0 192.168.2.1/24`	Set IP address in Linux.
`ifconfig eth0:1 192.168.2.3/24`	Add IP address to existing network interface in Linux.
`ifconfig eth0 hw ether MACADDR`	Change MAC address in Linux using ifconfig.
`ifconfig eth0 mtu 1500`	Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
`dig -x 192.168.1.1`	Dig reverse lookup on an IP address.
`host 192.168.1.1`	Reverse lookup on an IP address, in case dig is not installed.
`dig @192.168.2.2 domain.com -t AXFR`	Perform a DNS zone transfer using dig.
`host -l domain.com nameserver`	Perform a DNS zone transfer using host.
`nbtstat -A x.x.x.x`	Get hostname for IP address.
`ip addr add 192.168.2.22/24 dev eth0`	Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
`tcpkill -9 host google.com`	Blocks access to google.com from the host machine.
`echo "1" > /proc/sys/net/ipv4/ip_forward`	Enables IP forwarding, turns Linux box into a router – handy for routing traffic through a box.
`echo "8.8.8.8" > /etc/resolv.conf`	Use Google DNS.

System Information Commands

Useful for local enumeration.

COMMAND	DESCRIPTION
`whoami`	Shows currently logged in user on Linux.
`id`	Shows currently logged in user and groups for the user.
`last`	Shows last logged in users.
`mount`	Show mounted drives.
`df -h`	Shows disk usage in human readable output.
`echo "user:passwd" \| chpasswd`	Reset password in one line.
`getent passwd`	List users on Linux.
`strings /usr/local/bin/blah`	Shows contents of none text files, e.g. whats in a binary.
`uname -ar`	Shows running kernel version.
`PATH=$PATH:/my/new-path`	Add a new PATH, handy for local FS manipulation.
`history`	Show bash history, commands the user has entered previously

COMMAND	DESCRIPTION
`cat /etc/debian_version`	Shows Debian version number.
*`cat /etc/-release`**	Shows Ubuntu version number.
`dpkg -l`	List all installed packages on Debian / .deb based Linux distro.

Linux User Management

COMMAND	DESCRIPTION
`useradd new-user`	Creates a new Linux user.
`passwd username`	Reset Linux user password, enter just `passwd` if you are root.
`deluser username`	Remove a Linux user.

Linux Decompression Commands

How to extract various archives (tar, zip, gzip, bzip2 etc) on Linux and some other tricks for searching inside of archives etc.

COMMAND	DESCRIPTION
`unzip archive.zip`	Extracts zip file on Linux.
*`zipgrep .txt archive.zip`**	Search inside a .zip archive.
`tar xf archive.tar`	Extract tar file Linux.
`tar xvzf archive.tar.gz`	Extract a tar.gz file Linux.
`tar xjf archive.tar.bz2`	Extract a tar.bz2 file Linux.
`tar ztvf file.tar.gz \| grep blah`	Search inside a tar.gz file.
`gzip -d archive.gz`	Extract a gzip file Linux.
`zcat archive.gz`	Read a gz file Linux without decompressing.
`zless archive.gz`	Same function as the `less` command for .gz archives.
*`zgrep 'blah' /var/log/maillog.gz`**	Search inside .gz archives on Linux, search inside of compressed log files.
`vim file.txt.gz`	Use vim to read .txt.gz files (my personal favorite).
`upx -9 -o output.exe input.exe`	UPX compress .exe file Linux.

Linux Compression Commands

COMMAND	DESCRIPTION
*`zip -r file.zip /dir/`**	Creates a .zip file on Linux.
`tar cf archive.tar files`	Creates a tar file on Linux.
`tar czf archive.tar.gz files`	Creates a tar.gz file on Linux.
`tar cjf archive.tar.bz2 files`	Creates a tar.bz2 file on Linux.
`gzip file`	Creates a file.gz file on Linux.

Linux File Commands

COMMAND	DESCRIPTION
`df -h blah`	Display size of file / dir Linux.
`diff file1 file2`	Compare / Show differences between two files on Linux.
`md5sum file`	Generate MD5SUM Linux.
`md5sum -c blah.iso.md5`	Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
`file blah`	Find out the type of file on Linux, also displays if file is 32 or 64 bit.
`dos2unix`	Convert Windows line endings to Unix / Linux.
`base64 < input-file > output-file`	Base64 encodes input file and outputs a Base64 encoded file called output-file.
`base64 -d < input-file > output-file`	Base64 decodes input file and outputs a Base64 decoded file called output-file.
`touch -r ref-file new-file`	Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
`rm -rf`	Remove files and directories without prompting for confirmation.

Samba Commands

Connect to a Samba share from Linux.

$ smbmount //server/share /mnt/win -o user=username,password=password1
$ smbclient -U user \\\\server\\share
$ mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

Breaking Out of Limited Shells

Credit to G0tmi1k for these (or wherever he stole them from!).

The Python trick:

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

/bin/sh -i

Misc Commands

COMMAND	DESCRIPTION
`init 6`	Reboot Linux from the command line.
`gcc -o output.c input.c`	Compile C code.
`gcc -m32 -o output.c input.c`	Cross compile C code, compile 32 bit binary on 64 bit Linux.
`unset HISTORYFILE`	Disable bash history logging.
`rdesktop X.X.X.X`	Connect to RDP server from Linux.
`kill -9 $$`	Kill current session.
`chown user:group blah`	Change owner of file or dir.
`chown -R user:group blah`	Change owner of file or dir and all underlying files / dirs – recersive chown.
`chmod 600 file`	Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details.

Clear bash history:

      $ ssh user@X.X.X.X | cat /dev/null > ~/.bash_history

Linux File System Permissions

VALUE	MEANING
`777`	`rwxrwxrwx` No restriction, global WRX any user can do anything.
`755`	`rwxr-xr-x` Owner has full access, others can read and execute the file.
`700`	`rwx------` Owner has full access, no one else has access.
`666`	`rw-rw-rw-` All users can read and write but not execute.
`644`	`rw-r--r--` Owner can read and write, everyone else can read.
`600`	`rw-------` Owner can read and write, everyone else has no access.

DIRECTORY DESCRIPTION
`/` / also know as “slash” or the root.
`/bin` Common programs, shared by the system, the system administrator and the users.
`/boot` Boot files, boot loader (grub), kernels, vmlinuz
`/dev` Contains references to system devices, files with special properties.
`/etc` Important system config files.
`/home` Home directories for system users.
`/lib` Library files, includes files for all kinds of programs needed by the system and the users.
`/lost+found` Files that were saved during failures are here.
`/mnt` Standard mount point for external file systems.
`/media` Mount point for external file systems (on some distros).
`/net` Standard mount point for entire remote file systems – nfs.
`/opt` Typically contains extra and third party software.
`/proc` A virtual file system containing information about system resources.
`/root` root users home dir.
`/sbin` Programs for use by the system and the system administrator.
`/tmp` Temporary space for use by the system, cleaned upon reboot.
`/usr` Programs, libraries, documentation etc. for all user-related programs.
`/var` Storage for all variable files and temporary files created by users, such as log files, mail queue, print spooler. Web servers, Databases etc.

Linux Interesting Files / Dir’s

Places that are worth a look if you are attempting to privilege escalate / perform post exploitation.

DIRECTORY	DESCRIPTION
`/etc/passwd`	Contains local Linux users.
`/etc/shadow`	Contains local account password hashes.
`/etc/group`	Contains local account groups.
`/etc/init.d/`	Contains service init script – worth a look to see whats installed.
`/etc/hostname`	System hostname.
`/etc/network/interfaces`	Network interfaces.
`/etc/resolv.conf`	System DNS servers.
`/etc/profile`	System environment variables.
`~/.ssh/`	SSH keys.
`~/.bash_history`	Users bash history log.
`/var/log/`	Linux system log files are typically stored here.
`/var/adm/`	UNIX system log files are typically stored here.
`/var/log/apache2/access.log` `/var/log/httpd/access.log`	Apache access log file typical path.
`/etc/fstab`	File system mounts.

Openssl s_client

posted 25 Jan 2018, 04:57 by Donald Ross

openssl s_client -connect 10.211.0.3:443 | openssl x509 -purpose

openssl s_client -connect 10.150.232.96:443 -showcerts

#show dates

openssl s_client -connect 10.240.89.254:3041 | openssl x509 -noout -dates

notBefore=Oct 10 20:04:26 2015 GMT

notAfter=Oct 9 20:04:26 2017 GMT

openssl s_client -connect 10.240.89.254:3041 | openssl x509 -noout -issuer

openssl s_client -connect 10.240.89.254:3041 | openssl x509

#nearly all details

openssl s_client -connect 10.240.89.254:3041 | openssl x509 -noout -text

https://www.shellhacks.com/openssl-check-ssl-certificate-expiration-date/

F5 LTM redirect policy (HTTP to HTTPs)

posted 28 Sept 2017, 13:59 by Donald Ross

F5 LTM redirect policy (HTTP to HTTPs)

1-10 of 25

DDRcomputing	Search this site