F5 DUMP‎ > ‎

TCPdump and SSLdump

posted 10 Sept 2017, 09:57 by Donald Ross   [ updated 25 Jan 2018, 04:56 ]
TCPDUMP

***See if tcpdump is running:***
ps -e | grep tcpdump

***Stop tcpdump process:***
kill 4222

***clears buffers***
tcpdump -s -ni 0.0 proto 3

***Find self IPs***
list net self

***Find snat pool***
list ltm virtual

ltm virtual web1_dc1_443_vs {
    destination 10.211.0.3:https
    ip-protocol tcp
    mask 255.255.255.255
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    pool web1_dc1_443_pool
    profiles {
        http { }
        tcp { }
        test { }
        web1_dc1_443_client_ssl {
            context clientside
        }
        web1_dc1_443_server_ssl {
            context serverside
        }
    }
    rules {
        sorry_irule
    }
    source 0.0.0.0/0
    source-address-translation {
        pool snat-pool-south
        type snat
    }
    translate-address enabled
    translate-port enabled
    vs-index 19
}


list ltm snatpool snat-pool-south
ltm snatpool snat-pool-south {
    members {
        10.101.0.10
        10.101.0.11
        10.101.0.12
        10.101.0.13
        10.101.0.14
        10.101.0.15
        10.101.0.16
        10.101.0.17
        10.101.0.18
        10.101.0.19
        10.101.0.20
    }
}


tcpdump -i 0.0 -vvv -nn -w /shared/tmp/$(date +%Y-%m-%d_%H:%M:%S)lab100.pcap -C100 -W10 'port 443 and not (host 10.101.0.1 or host 192.168.101.35)'

-nn
Don’t convert protocol and port numbers etc. to names either.

-i interface
Listen on interface

-vvv
Even more verbose output.

w file
Write the raw packets to file rather than parsing and printing them out.
-C file_size
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
-W
Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.


Extras
-p
With the "p" flag you can set a filter on a clientside parameter, i.e. client IP or virtual server IP and the trace will include the related serverside traffic as well, SNATed or not.
-s 0 parameter for packet size specification. Set it to "0" to capture the full packet length. 

***displays all of the SSL record messages found in the tcpdump capture file***
ssldump -nr /shared/tmp/$(date +%Y-%m-%d_%H:%M:%S)lab100.pcap


Referance:
https://support.f5.com/csp/article/K10209
http://packetpushers.net/using-ssldump-decode-ssltls-packets/

Notes:
if you are trying to use the private key in wireshark and then decrypt the conversation it will not work if you are using DH keys.
with DH the session key is never be transmitted so you won't be able to intercept it and use it for decryption in wireshark


example
 tcpdump -i 0.0:nnnp -vvv -s 0 host 8.8.8.8


ssldump Anr -i 0.0 

Comments