Decoding SSL traffic between a vCentre server and ESX host
I have been battling to try and find out where my HP servers store and provide serial numbers for vCentre in the Hardware Status plugin – to no avail I am sad to say so far. However while investigating I have had to work out how to use Wireshark to decode the SSL traffic between the vCentre and an ESX host, which is very useful for troubleshooting connectivity or other issues between a VC and ESX host, so I thought I would record the process for reference …
For Wireshark (Download the latest version here http://www.wireshark.org/download.html ) to be able to decode the SSL traffic between a VC and host, it needs the private key of the SSL certificate. To get this you will need to copy it from the host via an SCP client ..
The file you are looking for is rui.key and is located in /etc/vmware/ssl folder.
Once you have copied the file to your local machine you can fire up Wireshark and head to the Edit > Preferences.
In there under the Protocols menu on the left hand side, select SSL and you will see the following fields:
The RSA keys list field is where you tell Wireshark to look for the server source i.p. (the ESX host),port,protocol and location of the private key you want to use to decrypt.
In this example I am using the same key to decrypt both standard 443 and 5989 (Secure CIM) traffic – to do more that one you simply use a semi-colon to separate the string:
10.0.0.1,5989,wbem-https,c:\temp\rui.key;10.0.0.1,443,https,c:\temp\rui.key
The SSL debug file field allows Wireshark to write out how it is using the key to aid troubleshooting.
Once you have this you can load up a capture from your vCentre and look for some SSL traffic – you should see in the lower frame something like this:
As you expect the output is unreadable in the standard tab, but if you look at the Decrypted SSL data tab you should see the data magically become a lot more useful:
Wireshark helpfully will now also display a context menu called Follow SSL Stream, once it can decrypt the traffic, and will piece all the traffic it can find back together and pop up a window with the whole transaction in one place.
Once you get into the underlying transactions it is great to see what is going back and forth between the vCentre and hosts – I hope this helps you figure out whatever problem you may be having …
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
[...] for the communications that occur between an ESX/ESXi host and vCenter Server? This post discusses decoding SSL traffic with Wireshark so that you can see what’s [...]