cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use the pcap from traffic diagnostic

luayh
Organizer

Hi,

Recently our infra undergoing changes, some of the webservers and appservers from window 2008 r2 move to window 2012 r2. This caused the cipher order to changes as OS is different. And we can see failed to decrypt ECDHE. I have capture data using traffic diagnostic in CAS, limited to just one IP address. I'm using wireshark to view the pcap file, and are trying to find the start point when encryption pick ECDHE instead of the other cipher. I need some advise as I have little to none experience usinf wireshark.

Additional info about the infra: Request -> load balancer -> webseal -> load balancer -> web server.

wireshark-screenshot.png

Thanks & Best wishes,

Yee Heng

6 REPLIES 6

ulf_thornander3
Inactive

Hi Yee.

That is done in the initial handshake. One way to maintian visibility is possibly to move your capture Point to after the Webseal wich normally handles the SSL piece.

https://www.ssl.com/article/ssl-tls-handshake-overview/

luayh
Organizer

thanks for suggesting, but we cannot touch the tap. Traffic before switch and webseal LB is mirrored and send to device and then IP fitered and forward to our AMD.

BabarQayyum
Leader

Hello Yee,

Just sharing following information in case.

Private key

If you are NOT using any of the anonymous key agreement protocols (DHE, ECDH, ECDHE), your new certificate file must also contain your private key.

https://community.dynatrace.com/community/display/...

Regards,

Babar

Hi Babar,

Yes, we got request all the new webserver and LB cert & Key. Thanks for reminding

matthew_eisengr
Inactive

Yee,

Have you thought about upgrading to 12.4.11 and taking advantage of the SSL cipher discovery it now does. That should save you loads of time!

Hi Matthew,

I checked the release note, u meant the feature release in 12.4.10 onward? First glance on it, does seem worth upgrading too. Thanks for suggesting