Tutorial: How to decrypt a NetScaler trace
Every now and then it’s necessary to actually look into a SSL stream between client and NetScaler to inspect what’s actually happening. I struggled with this topic quite a bit, and documentation (eg. From Citrix) is not always complete. I will not pretend this document covers all, but I had some good successes decrypting traces with the following procedure. If you have any additions please let me know, and I will be happy to add them to this post.
Setting up NetScaler
When running a trace on NetScaler lots and lots of IP traffic is captured. I recommend filtering your trace on your clients public IP address. Keep in mind that it would really help if just one person is using that IP address at that moment. It will be much harder to investigate traffic if multiple clients use the same public IP. Before you enable trace logging prepare your SSL vServers. If you use for instance a Content Switching vServer to publish a website, protected with an AAA vServer you need to prepare both your Content Switch and your AAA vServer.
On both vServers:
- Disable SSL Session Re-using
- You do not have to disable PFS (Perfect Forward Secrecy)
After preparing your vServers you can start your trace. What I recommend:
- Set your packet size to 0
- Filter the trace on public IP
- Capture SSL Master Keys
- Trace filtered connection’s peer traffic
- Do NOT select the SSLPLAIN checkbox. This will result in a hard to read trace.
When your trace is running the next step is on client side. You need to make sure the browser is closed. And do check with taskmanager. Too many times I had a client still running the browser, or a Chrome addon keeping the chrome.exe process alive. Your SSL handshake will not be recorded and your trace cannot be decrypted.
After you’re done stop and download your trace. You can open up the .cap file with wireshark. The first thing I look for if the SSL handshake is recorded. You can do so with the following filter:
ssl.handshake.type == 16 && ip.addr eq 126.96.36.199
This should result in data. If no data is displayed no SSL handshake is recorded and you won’t be able to decrypt the trace. Again, make sure the browser is fully closed and do check with taskmanager, or try another browser.
If your handshake is recorded you can decrypt your trace with the captured SSL master keys. Open Preferences in Wireshark and navigate to Protocols – SSL. Import your SSL master key:
You should now be able to see your decrypted data. You can check with the following filter. HTTP && SSL .
And there you go. Decrypted data. If you do not see decrypted data, I’m sorry, you did something wrong 🙂 Try again.