TCPdump

TCP dump examples


***See if tcpdump is running:***

ps -e | grep tcpdump

***Stop tcpdump process:***

kill 4222

***clears buffers***

tcpdump -s -ni 0.0 proto 3


Starting in BIG-IP 11.0.0, when you run tcpdump on a VLAN that resides in a non-default partition, you must specify the path to the VLAN object in the tcpdump syntax.

For example, use tcpdump syntax that is similar to the following example:

tcpdump -ni /<partition_name>/<vlan_name>



tcpdump -envi 0.0:nnnp -s0 '(host 10.63.4.22 and port 443) and host

<client_IP_addr>' -w /var/tmp/"$HOSTNAME"_"$(date +%d-%m-%y)".pcap

-e

Print the link-level header on each dump line.

-n

Don't convert host addresses to names. This can be used to avoid DNS lookups.

-v

When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

-i 0.0

Listen on all interfaces

:nnn

gives high details

:p

modifier allows you to capture a specific traffic flow through the BIG-IP system from end to end.

s0

Setting snaplen to 0 sets it to the default of 65535

------------------


tcpdump -i 0.0 -vvv -nn -w /shared/tmp/$(date +%Y-%m-%d_%H:%M:%S)lab100.pcap -C100 -W10 'port 443 and not (host 10.101.0.1 or host 192.168.101.35)'


-nn

Don’t convert protocol and port numbers etc. to names either.


-i interface

Listen on interface


-vvv

Even more verbose output.


w file

Write the raw packets to file rather than parsing and printing them out.

-C file_size

Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

-W

Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

Extras

-p

With the "p" flag you can set a filter on a clientside parameter, i.e. client IP or virtual server IP and the trace will include the related serverside traffic as well, SNATed or not.

-s 0 parameter for packet size specification. Set it to "0" to capture the full packet length.


***displays all of the SSL record messages found in the tcpdump capture file***

ssldump -nr /shared/tmp/$(date +%Y-%m-%d_%H:%M:%S)lab100.pcap


Referance:

https://support.f5.com/csp/article/K10209

http://packetpushers.net/using-ssldump-decode-ssltls-packets/


Notes:

if you are trying to use the private key in wireshark and then decrypt the conversation it will not work if you are using DH keys.

with DH the session key is never be transmitted so you won't be able to intercept it and use it for decryption in wireshark

example

tcpdump -i 0.0:nnnp -vvv -s 0 host 8.8.8.8

ssldump Anr -i 0.0


----------------------------

tcpdump -i 0.0 -vvv -nn -w /shared/tmp/$(date +%Y-%m-%d_%H:%M:%S)lab100.pcap -C100 -W10 'port 443 and not (host 10.101.0.1 or host 192.168.101.35)'

***displays all of the SSL record messages found in the tcpdump capture file***

ssldump -nr /shared/tmp/$(date +%Y-%m-%d_%H:%M:%S)lab100.pcap


tcpdump -i 0.0:nnnp -vvv -s 0 host 8.8.8.8

ssldump Anr -i 0.0

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

https://danielmiessler.com/study/tcpdump/


tcpdump -ni <interface> -W <file count value> -C <size value> -w <filename>

  • <interface> is the interface on which you want the utility to capture packets.

  • <file count value> is the number of files you want the utility to save before overwriting older files.

  • <size value> is the maximum file size in megabytes (MB) you want the utility to save before creating a new file.

<filename> is the location and file name where you want the utility to save the binary capture files.
For example, to have tcpdump capture packets on all interfaces and create up to ten 100MB files, named test1, test2, and so on, in the /var/tmp directory before overwriting the oldest file, type the following command:

tcpdump -ni 0.0 -W 10 -C 100 -w /var/tmp/test.pcap

killer command - killall tcpdump




SSL dump

K15292: Troubleshooting SSL/TLS handshake failures https://support.f5.com/csp/article/K15292


SSLv3 is version 3.0

TLS 1.0 is version 3.1

TLS 1.1 is version 3.2

TLS 1.2 is version 3.3


sldump -AedH -i 0.0 host 52.205.137.89 and port 443

New TCP connection #1: 5.187.19.69(56947) <-> 172.31.142.24(443)

1 1  1475579446.8148 (0.0164)  C>SV3.1 ***TLS VERSION*** (138)  Handshake

      ClientHello

        Version 3.1 ***TLS VERSION***

        random[32]=

          57 f3 8e 3f 89 8b 0f 83 47 43 20 5e d0 a2 4f e9

          b1 50 8d 9a 09 6e 18 bf 0f 53 b0 45 62 19 73 00

        cipher suites

        Unknown value 0xc014

        Unknown value 0xc013

        TLS_DHE_RSA_WITH_AES_256_CBC_SHA

        TLS_DHE_RSA_WITH_AES_128_CBC_SHA

        TLS_RSA_WITH_AES_256_CBC_SHA

        TLS_RSA_WITH_AES_128_CBC_SHA

        Unknown value 0xc00a

        Unknown value 0xc009

        TLS_DHE_DSS_WITH_AES_256_CBC_SHA

        TLS_DHE_DSS_WITH_AES_128_CBC_SHA

       TLS_RSA_WITH_3DES_EDE_CBC_SHA

        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

        TLS_RSA_WITH_RC4_128_SHA

        TLS_RSA_WITH_RC4_128_MD5

        compression methods

                  NULL

1 2  1475579446.8149 (0.0000)  S>CV3.1(85)  Handshake

      ServerHello

        Version 3.1

        random[32]=

          81 91 f8 6c 34 46 23 f7 b8 c4 9b 17 ea 17 b8 74

          76 cc 0e 28 74 5c 94 da 3c a3 81 52 cf 5b d1 ef

        session_id[32]=

          18 2a bb ea be 72 d5 6e 00 4b 3c 3d 52 40 1a 2b

          36 15 b1 91 8d 58 61 e9 a5 ba a4 3b 41 ac 64 a0

        cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA ***CIPHER AGREED***

        compressionMethod                   NULL

1 3  1475579446.8149 (0.0000)  S>CV3.1(1413)  Handshake

      Certificate

1 4  1475579446.8149 (0.0000)  S>CV3.1(8)  Handshake

      CertificateRequest

        certificate_types                   rsa_sign

1 5  1475579446.8149 (0.0000)  S>CV3.1(4)  Handshake

      ServerHelloDone

1 6  1475579446.8338 (0.0189)  C>SV3.1(2355)  Handshake

      Certificate

      ClientKeyExchange

        EncryptedPreMasterSecret[256]=

          8b 3f 4d 3a 13 bf a0 53 39 0d 5e 45 b1 45 73 f0

          07 0f 5d 4e c0 35 3e fb 54 d5 68 e7 f5 65 3d 90

          d8 ef 86 93 aa 7c ed 5e 99 83 16 91 d9 b0 e4 f5

          63 73 af 2f 1a 68 1a 40 f1 c2 d1 41 52 f3 e1 ef

          95 9b 96 df b8 58 7e f9 00 62 15 31 1e 44 0f 99

          ae 4a 9c 82 1b af d5 e8 ac 5f 9e 17 85 f4 b8 ec

          f7 d4 c2 91 80 c4 5e 3d 9b 56 e4 47 b3 b3 f9 34

          61 81 db 65 2e 39 bb b5 1b ea f7 e4 e9 5b 79 c9

          39 45 f2 18 db 95 b1 58 e8 04 a6 1c 2a b1 63 9f

          d3 a0 84 98 52 f7 29 bf d1 f8 f2 82 24 2a b5 09

          68 f3 4b 8d 84 a9 12 37 5d eb f6 e3 e5 2d f8 08

          e8 0b 62 37 9e 61 b9 2f ac d9 39 ef 5f 48 8f 90

          7e 80 e2 ac 6d 67 f8 90 94 b2 f4 12 6d 05 72 3a

          78 e6 a3 e8 17 7b 7d 3e 21 f0 c4 0d 5d c8 ac 65

          8c 30 73 13 19 a8 05 77 1d 4e bb db 79 0e 9b c9

          f4 36 8c d5 e9 0c 59 0c 71 fa 42 b5 ed 7c 70 7a

      CertificateVerify

        Signature[256]=

          3d 5b 48 d6 f1 19 c6 ed 0d 94 7d 10 83 24 2e 2c

          88 ac b1 49 fc 28 e0 c9 c2 f6 9a d1 9a 9a 88 59

          84 cf a6 ec c9 05 9b 31 d8 4d e3 92 2d 71 65 f2

          76 95 17 86 e1 79 d1 09 8f e8 67 6d 51 e7 c7 0b

          19 c0 30 e5 41 6a 72 d9 de 56 eb ac 42 fe 9e 14

          b3 ba b6 34 fd 45 c3 1f 4f 79 ea d2 a5 af ee d4

          1a 53 be 41 84 00 61 86 87 ba 28 5a 2b d8 20 14

          d0 4a 96 51 84 31 01 2b a1 e9 04 a6 40 77 99 ef

          ff b4 e8 7a 5e 56 04 b9 02 55 6e e7 c6 29 a8 9b

          2c 71 04 2f ad 71 25 75 ab f3 57 6a cc 5b 7f b7

          25 22 14 c0 d0 21 e7 57 be c3 cc a8 99 6b 1d a7

          af 11 d7 f8 fd f8 3c 15 0d 57 2e 44 9c 9d 2f 19

          d7 25 8b c8 d2 07 eb 12 81 86 ae a6 e2 c4 44 ec

          56 8f 51 ad 3b 88 7b 8b 46 53 07 89 db 23 fc 8d

          d8 79 77 bf b6 1c e0 4b 27 02 81 50 a6 aa 86 94

          f5 d5 03 49 e7 5e d8 d3 13 9e e8 f8 91 30 50 27

1 7  1475579446.8338 (0.0000)  C>SV3.1(1)  ChangeCipherSpec

1 8  1475579446.8338 (0.0000)  C>SV3.1(48)  Handshake

1 9  1475579446.8389 (0.0051)  S>CV3.1(1)  ChangeCipherSpec

1 10 1475579446.8389 (0.0000)  S>CV3.1(48)  Handshake

1 11 1475579448.9262 (2.0872)  C>SV3.1(32)  application_data

1 12 1475579448.9262 (0.0000)  C>SV3.1(224)  application_data

1 13 1475579448.9558 (0.0296)  S>CV3.1(112)  application_data

1 14 1475579448.9719 (0.0160)  C>SV3.1(32)  application_data

1 15 1475579448.9719 (0.0000)  C>SV3.1(2528)  application_data

1 16 1475579449.0050 (0.0331)  S>CV3.1(3440)  application_data

1    1475579449.0051 (0.0000)  S>C  TCP FIN

1    1475579449.0214 (0.0162)  C>S  TCP FIN



[root@BIGIP-CORP-02:Active:Changes Pending] config # ssldump -AedH -i 0.0 host 52.205.137.89 and port 443

New TCP connection #1: ec2-52-205-137-89.compute-1.amazonaws.com(26929) <-> 192.168.254.65(443)

1 1 1552559847.6492 (0.0897) C>SV3.3(219) Handshake

ClientHello

Version 3.3

random[32]=

5c 8a 2e e7 76 a8 5d 2a 3e f4 9c 3d 20 8c 12 55

60 07 ea ed 32 05 1b a6 19 7d 73 05 20 dd 8d a7

cipher suites

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

compression methods

NULL

extensions

supported_groups

ec_point_formats

signature_algorithms

signature_algorithms[26]=

06 03 06 01 05 03 05 01 04 03 04 01 04 02 03 03

03 01 03 02 02 03 02 01 02 02

extended_master_secret

server_name

1 2 1552559847.6511 (0.0019) S>CV3.3(91) Handshake

ServerHello

Version 3.3

random[32]=

59 11 71 81 5a 37 9d 48 1a bb 21 72 7a d7 8f 2c

d5 f8 2b a4 42 09 ca 75 54 0e 1a 0e 46 d0 c1 f8

session_id[32]=

f5 d1 ee 83 f8 04 92 d7 3c 79 de 26 c0 2c 9b 3a

96 aa 8e 84 c9 dd d2 70 3a f4 0d 66 51 7c ab 0e

cipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

compressionMethod NULL

extensions

renegotiation_info

ec_point_formats

extended_master_secret

1 3 1552559847.6511 (0.0000) S>CV3.3(1416) Handshake

Certificate

1 4 1552559847.6511 (0.0000) S>CV3.3(333) Handshake

ServerKeyExchange

ServerKeyExchange[329]=

03 00 17 41 04 de 86 ec bc 3e 08 3d 83 e8 6d a0

65 49 fa 78 f0 6c 3e 35 d4 0a 60 aa 75 8c 2d 23

a3 3d 77 12 5b 48 f5 e5 56 bf cb 5c 14 14 87 5f

54 c4 03 f6 ba 55 8b be 13 87 a5 7a f2 cb 57 6c

bc 7c 73 5e 2b 04 01 01 00 98 20 8a 01 32 cb 66

59 be fb 6c 8a 66 e5 0a 3f f3 5a 24 48 20 14 6f

9f 90 eb 0a cb 81 d0 ae 89 dd 66 d4 72 19 42 48

14 e8 56 09 3c d4 1c ca 45 6a 25 c5 cc ec 2d bf

c6 10 50 1a 03 fc 1c 88 fa 53 38 14 d6 b6 9f 38

68 00 3d b0 88 96 2c 07 30 2a 49 b4 d4 a9 18 42

01 91 0b 9c d4 d0 4c f8 d5 3a 7d bb cc 34 26 8f

00 04 90 ec 50 e7 90 4f 45 39 f8 97 46 6b 84 29

26 70 27 51 4e 35 50 70 0a 25 a4 eb 40 dd e4 95

85 b0 45 9d d7 bb fb 65 7c 63 60 67 2e b1 03 ae

25 fd cb 10 39 a3 7a 7f ca 6d 8c b8 5d cd 68 68

a5 44 38 bc 72 9d 28 d6 40 6d 89 04 31 19 a0 1e

6a 15 90 88 49 c8 6e e3 68 af 40 13 3b c1 fe 24

cd c5 f0 1c 89 4b 0b 40 4f 7e 0c 8a 6e 34 4b 60

40 c2 18 a1 8c 0b d7 67 b2 61 88 09 73 c9 8d ec

6c 2e 13 a3 55 43 1a d3 59 cb b1 7f ce a3 a6 93

8a 46 8a ac e4 48 8f 29 d4 << ***UNTRUSTED CERT * THIS HAD NO CHAIN***

1 5 1552559847.6511 (0.0000) S>CV3.3(4) Handshake

ServerHelloDone

1 6 1552559847.7410 (0.0899) C>SV3.3(2) Alert

level fatal

value certificate_unknown

1 1552559847.7410 (0.0000) C>S TCP FIN

1 1552559847.7411 (0.0000) S>C TCP FIN


***displays all of the SSL record messages found in the tcpdump capture file***

ssldump -nr /shared/tmp/$(date +%Y-%m-%d_%H:%M:%S)lab100.pcap

tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443

From <https://support.f5.com/csp/article/K10209>

ssldump -nr /var/tmp/www-ssl-client.cap

From <https://support.f5.com/csp/article/K10209>

https://support.f5.com/csp/article/K10209


TLS decryption

Decrypt irule

**https://support.f5.com/csp/article/K16700

**https://support.f5.com/csp/article/K06028005

https://buildmedia.readthedocs.org/media/pdf/2018-agility-tcpdump-and-wireshark/latest/2018-agility-tcpdump-and-wireshark.pdf

https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab10.html

when CLIENTSSL_HANDSHAKE {

log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"

}

when SERVERSSL_HANDSHAKE {

log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"

Grab the session IDs from the logs

grep iRule_decrypt /var/log/ltm

grep -A 156774 /var/log/ltm

copy rsa session ID

grab the port on server side connection also

create a notepad file with the session keys

Add session keys to Wireshark

edit

preferances

protocols

tls

add file to pre master secret log file name.

Another irule example

when CLIENTSSL_HANDSHAKE {

if {[IP::addr [IP::client_addr] equals 10.10.10.10] }

{

log local0. "TCP source port: [TCP::remote_port]"

log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"

}

}

when SERVERSSL_HANDSHAKE {

log local0. "TCP Source port: [TCP::local_port]"

log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"

}

GRAB ALL KEYS

grep Session-ID /var/log/ltm | sed 's/.*\(RSA.*\)/\1/' > /var/tmp/premaster.txt