If it doesn't match the current capture, it's as if it wasn't there.ĭon't forget to use a cipher string of 'NONE:AES128-SHA' and a Cache Size of 0 in your profile during the capture to insure that ssldump can find the PMS log. If you keep using the same name, it can be set once in Wireshark and doesn't have to be reconfigured for every capture.
It can be invoked with a single, easy to remember line: Decrypt.sh test1.pcap The output defaults to SSL.pms, which gets copied to your workstation along with the. The script finds the actual filename in the file store, such as: /config/filestore/files_d/Common_d/certificate_key_d/ Note that it is the BASE FILENAME of the key, such as not the cert/key name that must be specified. Ssldump -r $CaptureFile -k $KeyFile -M $PMSFile -A -d -n
Instead, this little script provides a one-line command, and it is installed on all of our Big-IPs along with a lot of other little utilities: #! /bin/bash It doesn't exactly roll trippingly off the keyboard, does it? For example: ssldump -r test1.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:-M SSL.pms -A -d -n However, the syntax for locating the right key file and executing ssldump is clumsy and hard to remember. Using Wireshark or other tools to examine SSL traffic requires that the Pre-Master Secret log be extracted from the capture with ssldump, and that the private key be available.
0 kommentar(er)
