https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15948
Bug ID: 15948
Summary: F5ethtrailer - Add dissector for BIG-IP v15 TLS
trailer
Product: Wireshark
Version: Git
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Enhancement
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: kryojen...@gmail.com
Target Milestone: ---
Created attachment 17257
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17257&action=edit
Sample capture of TLS 1.3 traffic with f5ethtrailer.tls data
Build Information:
$ ./run/tshark -v
TShark (Wireshark) 3.1.1 (v3.1.1rc0-15-g806bef47a2a0)
Copyright 1998-2019 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.60.5,
with zlib 1.2.11, without SMI, without c-ares, without Lua, without GnuTLS,
with
Gcrypt 1.8.4, with MIT Kerberos, without MaxMind DB resolver, without nghttp2,
without brotli, without LZ4, without Snappy, with libxml2 2.9.4.
Running on Mac OS X 10.14.6, build 18G84 (Darwin 18.7.0), with Intel(R)
Core(TM)
i7-7920HQ CPU @ 3.10GHz (with SSE4.2), with 16384 MB of physical memory, with
locale en_US.UTF-8, with libpcap version 1.8.1 -- Apple version 79.250.1, with
Gcrypt 1.8.4, with zlib 1.2.11, binary plugins supported (0 loaded).
Built using clang 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4).
--
F5 BIGIP (starting with 15.0.0) now has the ability to provide
debug TLS key information when capturing on BIGIP. This is
provided in the f5ethtrailers. This dissector implements
decode of this data and will generate appropriate keylog
entries that can be collected and used for decryption.
https://cdn.f5.com/product/bugtracker/ID464934.html
Example tshark output of new dissector:
$ tshark -r tls13.pcap -Y "frame.number eq 7" -O f5ethtrailer
Frame 7: 2408 bytes on wire (19264 bits), 2408 bytes captured (19264 bits)
Ethernet II, Src: Vmware_86:7d:85 (00:50:56:86:7d:85), Dst: Vmware_86:11:fc
(00:50:56:86:11:fc)
Internet Protocol Version 4, Src: 10.1.63.120, Dst: 10.1.47.1
Transmission Control Protocol, Src Port: 443, Dst Port: 55010, Seq: 1, Ack:
212, Len: 1502
Transport Layer Security
F5 Ethernet Trailer Protocol
Magic: 0xf5deb0f5
Length: 840
Version: 1
F5 TLS 1.3 Extended
F5 Trailer header, Provider: 4, Type: 3
Provider: 4
Type: 3
Trailer length: 393
Version: 0
Secret Length: 48
Early Secret: 7ee8206f5570023e6dc7519eb1073bc4e791ad37b5c382aa…
Exporter Secret: 01eed3934b37fb3194ed9701f6ac035a2f87588e15f4ef28…
Handshake Secret: 5f95e72b96bc0b7fdd2bb91c0ec2502b93da611886dcfea7…
Client Handshake Finished Secret:
bf409a2e0d2b5c6d50b21f02036bab7dfd7f8b50e24321f1…
Server Handshake Finished Secret:
2b8cc43f7007ed4d4d7916114d1e9a26d8e67634cacb3aca…
Resumption Secret: 000000000000000000000000000000000000000000000000…
F5 TLS 1.3
F5 Trailer header, Provider: 4, Type: 2
Provider: 4
Type: 2
Trailer length: 329
Version: 0
Secret Length: 48
Client Handshake Traffic Secret:
51197a81b83af539266e451b01e3c38f66fff8c4229a3daf…
Server Handshake Traffic Secret:
2f7985a9d60000166d9f8ee1158e4e5eaa15146e5230d39e…
Client Application Traffic Secret:
da2006283ab34757bf78e9b5a1a0982ca9cd5acc7905c874…
Server Application Traffic Secret:
747388fad3d78bdb81eabd7a74bcf7f91433cdf73ae1bb90…
Client Random: 1fb461298f2a22898ec7211652ff1615b971c717b0684828…
Server Random: 3cd08c10193b4558fed6eb92ff5c068fb297495384abaa37…
[Keylog entry: CLIENT_TRAFFIC_SECRET_0
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
da2006283ab34757bf78e9b5a1a0982ca9cd5acc7905c874da16efc5e7d6e688cb35a5842e3ac9bc7c8dc24d911ee24c]
[Keylog entry: SERVER_TRAFFIC_SECRET_0
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
747388fad3d78bdb81eabd7a74bcf7f91433cdf73ae1bb903ebdb34a7bdc6d639acd338b48eb27d5a82020e5cbfbaef9]
[Keylog entry: EXPORTER_SECRET
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
01eed3934b37fb3194ed9701f6ac035a2f87588e15f4ef280e701f7b15a468367a8a163cdc7dbacf182f593aa8cd9065]
Decryption becomes possible after extracting the secrets:
$ tshark -r tls13.pcap -Y "f5ethtrailer.tls.keylog" -T fields -e
f5ethtrailer.tls.keylog | tr , '\n' > keylog.txt
$ cat keylog.txt
CLIENT_HANDSHAKE_TRAFFIC_SECRET
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
51197a81b83af539266e451b01e3c38f66fff8c4229a3dafbe70992146fe48c225a7c07c701d82e56b5352249cc632d0
SERVER_HANDSHAKE_TRAFFIC_SECRET
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
2f7985a9d60000166d9f8ee1158e4e5eaa15146e5230d39eedaeef499a6303cb2bef12b414c80028b2babd3343821bf3
CLIENT_TRAFFIC_SECRET_0
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
da2006283ab34757bf78e9b5a1a0982ca9cd5acc7905c874da16efc5e7d6e688cb35a5842e3ac9bc7c8dc24d911ee24c
SERVER_TRAFFIC_SECRET_0
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
747388fad3d78bdb81eabd7a74bcf7f91433cdf73ae1bb903ebdb34a7bdc6d639acd338b48eb27d5a82020e5cbfbaef9
EXPORTER_SECRET
1fb461298f2a22898ec7211652ff1615b971c717b0684828d29fbd494feff584
01eed3934b37fb3194ed9701f6ac035a2f87588e15f4ef280e701f7b15a468367a8a163cdc7dbacf182f593aa8cd9065
$ editcap --inject-secrets tls,keylog.txt tls13.pcap tls13.pcapng
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
