Enabling Session Key Capture When Debugging a Virtual Service
Overview
When users debug a virtual service, from the Controller they can download for analysis the traffic packages that were originally captured by SEs and subsequently uploaded to the Controller. Starting with Avi Vantage 18.2.3, users can set/reset a new traffic-capture parameter that enables/disables the capture of SSL keys. If the parameter is set to True for the virtual service, the relevant Service Engines capture session keys of encrypted connections for the particular VS and store them in the SSL Key log file. Users can then download it and use it to decrypt a PFS pcap with Wireshark.
Configuring Using the Avi UI
- Navigate to Operations and select the Traffic Capture tab.
- The virtual service pulldown menu will present the list of virtual services from which you can choose..
- Click the pencil icon to select the virtual service for which you wish traffic capture to be turned on. Then click the Capture Session Keys box within the window that appears. When satisfied with all settings, click on Start Capture.
Configuring using the Avi CLI
Configuring capture parameter
: debug virtualservice vs1
: debugvirtualservice> capture_params enable_ssl_session_key_capture
: debugvirtualservice> save
Starting a capture
: debug virtualservice vs1
: debugvirtualservice> capture
: debugvirtualservice> save
Stop an ongoing packet capture
: > debug virtualservice vs1
: debugvirtualservice> no capture
: debugvirtualservice> save
Analyzing captures
- Once capture is complete, download and extract the
tar
file from the Controller. The result will be a PCAP capture file and a text file containing the session keys.
- Load the capture file into Wireshark, and filter for encrypted conversation.
- Load the session keys by opening Wireshark Preferences and navigating to TLS or SSL, and under the (Pre)-Master-Secret log filename heading, browse for the extracted session keys text file.
Previously encrypted packets in the filtered conversation will now have an additional tab with the unencrypted contents.