How To Capture Decrypted Traffic on a Re-Encrypted Virtual Service
To view decrypted traffic at the LoadMaster, the Virtual Service must be SSL-offloaded. If the Virtual Service is not being re-encrypted, then you can simply do a tcpdump with a filter to only capture server-side traffic. This article relates to viewing traffic that is being re-encrypted to the server(s).
The way to accomplish this is to configure a “Decrypt Virtual Service”, setting the Service Type set to Generic, and enabling SSL Acceleration and Reversed.
The “Decrypt Virtual Service” does not need any other configuration and is quite basic. This Virtual Service contains the actual ‘Real Server’. The Real Server Check Method can be set to None, because health checking is still taking place at the main Virtual Service.
The main Virtual Service should have Reencrypt disabled, and the “Decrypt Virtual Service” should be added as a Real Server. Also, the original Real Server should be disabled.
Now it’s time to take a tcpdump.
In the Options box, enter a filter similar to this:
-i lo -c 50000 host 10.1.114.21
This will only capture traffic on the loopback interface, increase the packet count to 50,000 and only if it matches the IP 10.1.114.21.
In the above example, Outlook was opened while capturing on the LoadMaster’s loopback interface which contains the decrypted packets.