During the troubleshooting process sometimes we need to retrieve and analyze Packet Captures from the appliance's interfaces. The purpose of this article is to describe the information we can find in those packet captures based on the interfaces we are capturing.
The deployment types we will expose are the following:
In both deployments, we applied this rule: "Decrypt (Resign Certificate)".
Pcap 1 - Client -> SSLv
Contains: Complete TCP Handshake, Complete SSL Handshake, and encrypted traffic. (Client-Side)
Pcap 4: SSLV -> Server
Contains: Complete TCP Handshake and Complete SSL Handshake (Server-Side)
Pcap 2: SSLV -> IPS/IDS
Contains: Complete TCP Handshake, No SSL Handshake and Half of the Decrypted HTTPS traffic (only HTTP requests).
Pcap 3: IPS/IDS -> SSLV
Contains: Complete TCP Handshake, No SSL Handshake, Half of the Decrypted HTTP traffic (only HTTP responses).
Pcap 5: SSLV -> Copy Port
Contains: Complete TCP Handshake, No SSL Handshake, and Complete Decrypted HTTP traffic.
In order to see the whole decrypted HTTPS request, we need to merge Interfaces 2 (Pcap 2) and 3 (Pcap 3) so that we can see the full decrypted HTTP transaction. The TCP handshake will be duplicated as both captures contain this information.
Pcap 1 - Client -> SSLv
Contains: Complete TCP Handshake, Complete SSL Handshake, and encrypted traffic. (Client-Side)
Pcap 2: SSLV -> Server
Contains: Complete TCP Handshake and Complete SSL Handshake (Server-Side)
Pcap 5: SSLV -> Copy Port
Contains: Complete TCP Handshake, No SSL Handshake, and Complete Decrypted HTTP traffic.
In all packet captures we see only the MAC and IP from the destination server and the client's IP. We know which part of the communication (client-side or server-side) we are seeing by looking at the certificate issuer in the "Certificate" message within the SSL Handshake.
When checking the decrypted traffic in Wireshark, we need to decode port 443 traffic to HTTP or HTTP2 in order to see it properly in the Packet and Details view.
When using the Copy Port, if there is no device connected to that interface, we will only see the TCP Handshake and the Client Hello packet.