Why do I have to do mass decoding?
In order to recreate customer DataPower reload inhouse at IBM, with customer config and several 10,000 transactions captured in >10GB of .pcap files in total ...
Btw, I learned that there are platforms where DataPower packet capture does not work (DataPower on Red Hat OpenShift or Cloud Pack for Integration). This technote describes how to capture for those platforms:
https://www.ibm.com/support/pages/how-start-packet-capture-datapower-red-hat-openshift-or-cloud-pack-integration
It is not mentioned in that technote, but in order to be able to decode traffic, you have to set "Log SSL Key" toggle to "on" in DataPower WebGUI Troubleshooting panel, or execute this CLI command:
top; switch default; diag ; tls-log-client-random
------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support & Fixpack team lead
IBM DataPower Gateways (⬚ᵈᵃᵗᵃ / ⣏⠆⡮⡆⢹⠁⡮⡆⡯⠂⢎⠆⡧⡇⣟⡃⡿⡃)
https://stamm-wilbrandt.de/en/blog/
------------------------------
Original Message:
Sent: Mon November 07, 2022 07:46 PM
From: Hermann Stamm-Wilbrandt
Subject: tshark mass decoding of TLS traffic captured with DataPower packet capture
Quite some additions to the twitter thread:
- SplitCap tool to split big (eg. 1GB) .pcap by tcp.stream
- how to make tshark output pcap file format (for SplitCap) and not pcap-ng
- follow,ssl,ascii, vs. follow,ssl,raw,
------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support & Fixpack team lead
IBM DataPower Gateways (⬚ᵈᵃᵗᵃ / ⣏⠆⡮⡆⢹⠁⡮⡆⡯⠂⢎⠆⡧⡇⣟⡃⡿⡃)
https://stamm-wilbrandt.de/en/blog/
Original Message:
Sent: Fri November 04, 2022 07:39 AM
From: Hermann Stamm-Wilbrandt
Subject: tshark mass decoding of TLS traffic captured with DataPower packet capture
Details in this Twitter thread:
https://twitter.com/HermannSW/status/1588491721654009857
------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support & Fixpack team lead
IBM DataPower Gateways (⬚ᵈᵃᵗᵃ / ⣏⠆⡮⡆⢹⠁⡮⡆⡯⠂⢎⠆⡧⡇⣟⡃⡿⡃)
https://stamm-wilbrandt.de/en/blog/
------------------------------