Enabling Session Key Capture When Debugging a Virtual Service

Overview

When users debug a virtual service, from the Controller they can download for analysis the traffic packages that were originally captured by SEs and subsequently uploaded to the Controller. Starting with Avi Vantage 18.2.3, users can set/reset a new traffic-capture parameter that enables/disables the capture of SSL keys. If the parameter is set to True for the virtual service, the relevant Service Engines capture session keys of encrypted connections for the particular VS and store them in the SSL Key log file. Users can then download it and use it to decrypt a PFS pcap with Wireshark.

Configuring Using the Avi UI

  1. Navigate to Operations and select the Traffic Capture tab.
    Operations Traffic Capture.png
  2. The virtual service pulldown menu will present the list of virtual services from which you can choose..
    virtual-service-selection-pulldown-menu
  3. Click the pencil icon to select the virtual service for which you wish traffic capture to be turned on. Then click the Capture Session Keys box within the window that appears. When satisfied with all settings, click on Start Capture.
    capture-session-key-on

Configuring using the Avi CLI

Configuring capture parameter

: debug virtualservice vs1
: debugvirtualservice> capture_params enable_ssl_session_key_capture
: debugvirtualservice> save

Starting a capture

: debug virtualservice vs1
: debugvirtualservice> capture
: debugvirtualservice> save

Stop an ongoing packet capture

: > debug virtualservice vs1
: debugvirtualservice> no capture
: debugvirtualservice> save

Analyzing captures

  1. Once capture is complete, download and extract the tar file from the Controller. The result will be a PCAP capture file and a text file containing the session keys.
    Files in tar
  2. Load the capture file into Wireshark, and filter for encrypted conversation.
    Capture in encrypted
  3. Load the session keys by opening Wireshark Preferences and navigating to TLS or SSL, and under the (Pre)-Master-Secret log filename heading, browse for the extracted session keys text file.
    Options screen

Previously encrypted packets in the filtered conversation will now have an additional tab with the unencrypted contents.
Unencrypted

Suggested Reading