You are here

Tracing network traffic using tcpdump and tshark

Affects product: 
Airlock WAF

It is often useful to record network traffic on one of the interfaces attached to Airlock WAF. This may be to analyze whether packets sent from external systems are reaching the WAF, to check network connectivity, routing or firewall settings. To record such traffic on Airlock WAF version 5 and higher the common Linux tool tcpdump can be used (for Airlock WAF versions up to 4.2, please use snoop). Traces recorded with tcpdump are compatible with other monitoring tools and analyzers like Wireshark. Alternatively, you can use TShark, the command line version of Wireshark, directly.

How to use tcpdump

The most important thing to know when recording network traffic are the names of the used network interfaces. There is a management interface, a back-end interface and one or more external interfaces. The management and back-end interface can be found in the menu "System Setup" - "Nodes" in the Airlock Configuration Center. The external interface can be found by selecting the corresponding virtual host in the menu "Application Firewall" - "Reverse Proxy". Typical names used for interfaces are eth0, eth1, vmnet1, etc. The names depend on the interface card type used. The number of the interface may vary depending on the network setup.

To get a list of available interface on the command line, use the following command:

tcpdump -D

To record everything received and transmitted on the interface eth1 and print ASCII content, use following command:

tcpdump -i ens224 -A

To restrict the traced traffic to (dst) and from (src) a certain IP address, use the following command:

tcpdump -i ens224 host

To restrict the traced traffic further to a certain port, use the following command:

tcpdump -i ens224 host and port 80

To trace everything except SSH traffic, use the following command:

tcpdump -i ens224 not port 22

To write traffic to a file for further analysis in another tool, use the following command:

tcpdump -i ens224 -w /tmp/backend.pcap

To reduce the recorded traffic, combine filter expressions while writing the traffic to a file:

tcpdump -i ens224 port 443 -w /tmp/backend.pcap

How to use TShark

TShark is the command line version of Wireshark. It works similarly to tcpdump but is capable of parsing hundreds of protocols directly. It is therefore very useful for in-depth protocol analysis.

For example, the following command displays HTTP content directly on the command-line:

tshark -i ens224 -x tcp port 80 -R http

Transfering captured data to your workstation

To copy the recorded data to another system for further analysis, use SCP or WinSCP from the target system, e.g.

scp root@airlock:/tmp/backend.pcap .

Decrypt HTTPS traffic on Airlock WAF

Airlock WAF 6.0 and newer is able to log SSL/TLS session keys of front-end and back-end HTTPS connections. This allows to decipher the encrypted traffic.

Setup SSL Session Key Logging

To activate SSL session key logging the appropriate expert setting has to be enabled. Either globally for front-end or back-end traffic or specifically per virtual-host or back-end group.

To enable front-end key logging to /var/log/airlock/ext-apache/ssl/keys.log, the following directive has to be added to the Apache Expert Settings either globally or in the Virtual Host:

AirlockSSLKeyLogEnable On

To enable back-end key logging to /var/log/airlock/gatekeeper/ssl/keys.log, the following directive has to be added to the Security Gate Expert Settings:

Globally enabled for all Back-end Groups:

SecurityGateway * BackendSSLKeyLog.Enable "TRUE"

Enabled for one Back-end Group:

BackendSSLKeyLog.Enable "TRUE"

(Note: There is no "SecurityGateway *" prefix for Back-end Group Expert Settings)

As soon as the configuration is activated the SSL Session Keys will be logged to the appropriate files.

Live traffic deciphering using tshark

The following command live deciphers traffic for a specific virtual host, e.g listening on IP

tshark -i ens224 -n -p -o "ssl.keylog_file: /var/log/airlock/ext-apache/ssl/keys.log" -f "host && port 443"

if the virtual host is not listing on a default HTTPS port, e.g 10443, run.

tshark -i ens224 -n -p -o "ssl.keylog_file: /var/log/airlock/ext-apache/ssl/keys.log" -f "host && port 10443" -o "http.ssl.port: 10443" -d tcp.port==10443,ssl

Note that the TShark/libgcrypt version as shipped with Airlock WAF 6.0 is not able to decipher certain cipher suites like GCM ciphers. In this case the capturing file must be decrypted on a different host with a different analyzer (or newer version of TShark). The next section describes how to decipher a capturing file using wireshark.

Further note that TShark, when started in the live capturing mode, does only consider SSL session keys for decryption that are appended to the key file. Connections reusing older SSL sessions are not decrypted. SSL session-reuse can be prevented by clearing the SSL session cache of the client or server after TShark is started. For front-end connections, this can be done by restarting the client/browser. For back-end connections this can be done by reloading the airlock-gatekeeper service. On Airlock WAF version 6.x this is accomplished with the following command:

/etc/init.d/airlock-gatekeeper signal

But in version 7.x the the following command must be used:

systemctl reload airlock-gatekeeper
Offline traffic deciphering using wireshark

To decipher traffic using wireshark, first copy the recorded (still encrypted) traffic to the target machine using scp

scp root@airlock:/tmp/frontend.pcap .

Also copy the SSL key log file(s)

scp root@airlock:/var/log/airlock/ext-apache/ssl/keys.log .

Start wireshark and configure the SSL key log file in "Edit" -  "Preferences" - "Protocols" - "SSL" - "(Pre)-Master-Secret log filename". Then open the pcap file containing the encrypted traffic.

Knowledge Base Categories: