Skip to content

Commit

Permalink
sauce-connect: add Traffic Inspection article (#2854)
Browse files Browse the repository at this point in the history
Add article how to use Wireshark with sc.
  • Loading branch information
mmatczuk authored and Choraden committed Oct 2, 2024
1 parent c796685 commit 8e5c5d3
Show file tree
Hide file tree
Showing 2 changed files with 167 additions and 0 deletions.
166 changes: 166 additions & 0 deletions docs/secure-connections/sauce-connect-5/inspecting.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
---
id: inspecting
title: Traffic Inspection
---

This document describes how to inspect Sauce Connect 5 tunnel traffic using Wireshark or other network analysis tools.
This technique allows you to decrypt SSL/TLS traffic by using TLS keys logged by the Sauce Connect.
It does not require use of third-party proxies to reencrypt the traffic.

:::note
Inspecting tunnel traffic is available in **Sauce Connect Proxy 5.2** and later.
:::

## Prerequisites

- [Wireshark](https://www.wireshark.org) must be installed on your machine.
Make sure you have the Wireshark command line tool `tshark` available.
- [Sauce Connect Proxy 5](/secure-connections/sauce-connect-5/installation) must be installed and configured.

## TLS key logging

There is more than one way to enable TLS key logging in Sauce Connect Proxy 5:

* Using the `SSLKEYLOGFILE=<path>` environment variable -
enables logging of all TLS keys to the specified file,
this includes both tunnel connections and connections to upstream servers.
* Using the `--tunnel-tls-keylog-file=<path>` flag -
enables logging of TLS keys for tunnel connections to Sauce Labs servers only.
* Using the `--http-tls-keylog-file=<path>` flag -
enables logging of TLS keys for both tunnel connections and connections to upstream servers.

The following example demonstrates how to enable TLS key logging for tunnel connection only:

Command line:

```bash
sc run ... --tunnel-tls-keylog-file=/path/to/sslkeylog.log
```

Configuration file:

```yaml
tunnel-tls-keylog-file: /path/to/sslkeylog.log
```
## TLS resigning
Setting `SSLKEYLOGFILE` will allow you to inspect HTTP requests made by the tunnel client.
If you want to inspect HTTPS requests, you need to run Sauce Connect Proxy with TLS resigning enabled.
This is because Sauce Connect Proxy does not have access to the client's private keys, which are required to decrypt HTTPS traffic.

See [--tls-resign-domains](/dev/cli/sauce-connect-5/run/#tls-resign-domains) flag for more information on how to enable TLS resigning.

## Traffic capture

Follow these steps to inspect tunnel traffic using Wireshark:

1. Start capturing traffic using `tshark` before starting the Sauce Connect Proxy:

```bash
tshark -f "tcp port 443" -o "tls.keylog_file:/path/to/sslkeylog.log" -Y http2 -O http2
```
Replace `/path/to/sslkeylog.log` with the path to the file where the TLS keys are logged.
Note that if tshark is started after the Sauce Connect Proxy, it will not be able to decrypt the traffic.

The `tshark` command would try to guess the interface to capture traffic from.
You can list available interfaces using `tshark -D`,
and specify the interface using the `-i` flag ex. `tshark -i eth0 ...`.

1. Start the Sauce Connect Proxy with TLS key logging and TLS resigning enabled:

```bash
sc run ... --tunnel-tls-keylog-file: /path/to/sslkeylog.log --tls-resign-domains all
```
1. You should see decrypted HTTP/2 frames in the output of `tshark` similar to the following:

```
Frame 49414: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) on interface en4, id 0
Ethernet II, Src: CompalBroadb_e8:b4:78 (ac:22:05:e8:b4:78), Dst: BelkinIntern_cd:b6:0b (e8:9f:80:cd:b6:0b)
Internet Protocol Version 4, Src: 185.94.26.247, Dst: 192.168.0.206
Transmission Control Protocol, Src Port: 443, Dst Port: 53736, Seq: 12230, Ack: 20202, Len: 39
Transport Layer Security
HyperText Transfer Protocol 2
Stream: PING, Stream ID: 0, Length 8
Length: 8
Type: PING (6)
Flags: 0x00
0000 000. = Unused: 0x00
.... ...0 = ACK: False
0... .... .... .... .... .... .... .... = Reserved: 0x0
.000 0000 0000 0000 0000 0000 0000 0000 = Stream Identifier: 0
Ping: 9db0139a0702fc8b
Frame 49731: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits) on interface en4, id 0
Ethernet II, Src: CompalBroadb_e8:b4:78 (ac:22:05:e8:b4:78), Dst: BelkinIntern_cd:b6:0b (e8:9f:80:cd:b6:0b)
Internet Protocol Version 4, Src: 185.94.26.247, Dst: 192.168.0.206
Transmission Control Protocol, Src Port: 443, Dst Port: 53735, Seq: 19179, Ack: 534008, Len: 89
Transport Layer Security
HyperText Transfer Protocol 2
Stream: HEADERS, Stream ID: 29, Length 58
Length: 58
Type: HEADERS (1)
Flags: 0x04, End Headers
00.0 ..0. = Unused: 0x00
..0. .... = Priority: False
.... 0... = Padded: False
.... .1.. = End Headers: True
.... ...0 = End Stream: False
0... .... .... .... .... .... .... .... = Reserved: 0x0
.000 0000 0000 0000 0000 0000 0001 1101 = Stream Identifier: 29
[Pad Length: 0]
Header Block Fragment: 4199415293553216f06a9790691af498961d07952b90f4dc69a67fdae4d97f0299415293553216f06a9790691af498961d07952b90f4dc69a67f
[Header Length: 206]
[Header Count: 5]
Header: :authority: settings-win.data.microsoft.com:443
Name Length: 10
Name: :authority
Value Length: 35
Value: settings-win.data.microsoft.com:443
:authority: settings-win.data.microsoft.com:443
[Unescaped: settings-win.data.microsoft.com:443]
Representation: Literal Header Field with Incremental Indexing - Indexed Name
Index: 1
...
```

### Customizing display filters

WireShark provides a powerful display filter language that allows you to filter the traffic you want to inspect.
For example, to capture only [HTTP/2 HEADERS frames](https://httpwg.org/specs/rfc7540.html#HEADERS) in a format that is easier to further process, you can use the following command:

```bash
tshark -f "tcp port 443" -o "tls.keylog_file:/path/to/sslkeylog.log" \
-Y "http2.type == 1" -T fields -e frame.number -e http2.header.name -e http2.header.value
```

Output:

```
2889 :authority,:method,:path,:scheme,user-agent,accept,priority,x-forwarded-for,sl-forwarded-proto,x-forwarded-proto,sl-forwarded-host,x-forwarded-host,via,x-forwarded-url,accept-language,accept-encoding,content-type,pragma,cache-control,content-length r11.o.lencr.org,POST,/,http,Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0,*/*,u=2,10.113.32.170,http,http,r11.o.lencr.org,r11.o.lencr.org,1.1 sc_server-dfcd2679b772ba704ff6,http://r11.o.lencr.org/,en-US,en;q=0.5,gzip, deflate,application/ocsp-request,no-cache,no-cache,85
2918 :authority,:method,:path,:scheme,x-forwarded-for,cache-control,x-forwarded-url,via,sl-forwarded-proto,x-forwarded-host,accept,accept-encoding,content-type,priority,sl-forwarded-host,user-agent,accept-language,x-forwarded-proto,pragma,content-length r10.o.lencr.org,POST,/,http,10.113.32.170,no-cache,http://r10.o.lencr.org/,1.1 sc_server-dfcd2679b772ba704ff6,http,r10.o.lencr.org,*/*,gzip, deflate,application/ocsp-request,u=2,r10.o.lencr.org,Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0,en-US,en;q=0.5,http,no-cache,85
2924 :authority,:method,:path,:scheme,pragma,via,x-forwarded-host,accept,x-forwarded-url,priority,x-forwarded-for,sl-forwarded-proto,sl-forwarded-host,user-agent,accept-language,accept-encoding,content-type,cache-control,x-forwarded-proto,content-length r10.o.lencr.org,POST,/,http,no-cache,1.1 sc_server-dfcd2679b772ba704ff6,r10.o.lencr.org,*/*,http://r10.o.lencr.org/,u=2,10.113.32.170,http,r10.o.lencr.org,Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0,en-US,en;q=0.5,gzip, deflate,application/ocsp-request,no-cache,http,85
2962 :authority,:method,sl-forwarded-proto,sl-forwarded-host,user-agent,via saucedemo.com:443,GET,,saucedemo.com:443,Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0,1.1 sc_server-dfcd2679b772ba704ff6
...
```

Check [Wireshark display filter reference](https://www.wireshark.org/docs/dfref/h/http2.html) for more information on available filters for HTTP/2.

### Using tcpdump

You can also use `tcpdump` to capture traffic and save it to a file for later analysis.
Make sure to start `tcpdump` before starting the Sauce Connect Proxy.
The captured pcap file can be opened in `tshark` for inspection using the following command:

```bash
tshark -r /path/to/capture.pcap -o "tls.keylog_file:/path/to/sslkeylog.log" -Y http2 ...
```

This is particularly useful to experiment with different display filters and inspect the traffic in more detail.

## Additional resources

* [Display Filter Reference: HyperText Transfer Protocol 2](https://www.wireshark.org/docs/dfref/h/http2.html)
* [Wireshark TLS](https://wiki.wireshark.org/TLS)
* [Wireshark tcpdump](https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html)
* [HTTP/2 spec](https://httpwg.org/specs/rfc7540.html)
1 change: 1 addition & 0 deletions sidebars.js
Original file line number Diff line number Diff line change
Expand Up @@ -1042,6 +1042,7 @@ module.exports = {
},
'secure-connections/sauce-connect-5/logging',
'secure-connections/sauce-connect-5/monitoring',
'secure-connections/sauce-connect-5/inspecting',
{
type: 'category',
label: 'Setup and Configuration',
Expand Down

0 comments on commit 8e5c5d3

Please sign in to comment.