Reading Packet Captures taken from SSLV appliances

book

Article ID: 170425

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

During the troubleshooting process sometimes we need to retrieve and analyze Packet Captures from the appliance's interfaces. The purpose of this article is to describe the information we can find in those packet captures based on the interfaces we are capturing.

Environment

The deployment types we will expose are the following:

  • Active Inline FA (Fail to Appliance)
  • Passive Inline

In both deployments, we applied this rule: "Decrypt (Resign Certificate)".

Resolution

Active Inline Fail to Appliance

Pcap 1 - Client -> SSLv

Contains: Complete TCP Handshake, Complete SSL Handshake, and encrypted traffic. (Client-Side)
 

Pcap 4: SSLV -> Server

Contains: Complete TCP Handshake and Complete SSL Handshake (Server-Side)
 

Pcap 2: SSLV -> IPS/IDS

Contains: Complete TCP Handshake, No SSL Handshake and Half of the Decrypted HTTPS traffic (only HTTP requests).
 

Pcap 3: IPS/IDS -> SSLV

Contains: Complete TCP Handshake, No SSL Handshake, Half of the Decrypted HTTP traffic (only HTTP responses).
 

Pcap 5: SSLV -> Copy Port

Contains: Complete TCP Handshake, No SSL Handshake, and Complete Decrypted HTTP traffic.
 

In order to see the whole decrypted HTTPS request, we need to merge Interfaces 2 (Pcap 2) and 3 (Pcap 3) so that we can see the full decrypted HTTP transaction. The TCP handshake will be duplicated as both captures contain this information.
 

Passive Inline

Pcap 1 - Client -> SSLv

Contains: Complete TCP Handshake, Complete SSL Handshake, and encrypted traffic. (Client-Side)

Pcap 2: SSLV -> Server

Contains: Complete TCP Handshake and Complete SSL Handshake (Server-Side)

Pcap 5: SSLV -> Copy Port

Contains: Complete TCP Handshake, No SSL Handshake, and Complete Decrypted HTTP traffic.

 

Notes:

  • In all packet captures we see only the MAC and IP from the destination server and the client's IP. We know which part of the communication (client-side or server-side) we are seeing by looking at the certificate issuer in the "Certificate" message within the SSL Handshake.

  • When checking the decrypted traffic in Wireshark, we need to decode port 443 traffic to HTTP or HTTP2 in order to see it properly in the Packet and Details view.

  • When using the Copy Port, if there is no device connected to that interface, we will only see the TCP Handshake and the Client Hello packet.