Wednesday, May 11, 2011

Monitor WSO2 Servers with Wireshark

I recently had to look in to how to use Wireshark to monitor the traffic between set of WSO2 products, I found some useful configuration steps which was bit difficult to find in a single place in internet. We had a requirement of monitoring all the HTTP traffic and we wanted to monitor complete payload even though some of the transactions were HTTPS, so I will be describing how to configure Wireshark for a scenario like this. Since I was new to Wireshark I found the initial instructions were not very clear to start using Wireshark, so that is one of another motivation for writing this blog post. This blog post will be a very quick one which doesn't contains any screenshots, I hope to write a detail one but I need to write this before I forget these steps...

My Environment is Ubuntu so when you install it using Ubuntu Software Center you will get a package which is compiled with GnuTLS so to monitor HTTPS traffic you don't have to compile Wireshark again. If you are on Non-Unix system you have to compile it with GnuTLS (there are plenty of documentation on how to do this).

I assume you have a service running on WSO2 WSAS which is secured and you have a client to invoke that Service, and you have another client invoke another unsecured Service in WSAS, with this setup you can monitor HTTP and HTTPS traffic goes to both services.

  1. Start Wireshark and see whether you see set of Interfaces where you can monitor, if you do not see any interface, it's because you do not have enough rights to monitor any of the interfaces. So please start as a root/sudo mode if you did not see any interface.
  2. Now go to Edit -> Preferences -> Protocols -> HTTP there you will see two entries like "TCP/Ports" and "SSL/Ports". Add your Servers (WSO2 WSAS) HTTP port in to TCP/Ports list with a comma if you have number of ports to configure in a scenario where you want to monitor traffic among few hops add them as comma separated values. (Ex: HTTP - 9763).
  3. Now add your server HTTPS port in to SSL/Ports entry, by default it's having 443 to monitor browser HTTPS traffic (Ex:, HTTPS - 9443).
  4. Now you are in a position to monitor the traffic goes to WSAS by applying http filter. But you will not see the encrypted messages going to the Secured Service. To decrypt the messages which goes to WSAS you need to export the private key of the server (WSO2 WSAS). To do that you can use a simple tool like Keytool IUI[2].
  5. Download the keytool IUI [2], extract it and run the script (I got some errors in the tool when I was trying to run the shell script, so if you get the same just run the following command). $JAVA_HOME/bin/java -Xms128m -Xmx196m -jar rc15ktl.jar
  6. This will open the Keytool and go to Export -> KeyStores Entry -> Private Key There you will see four fields to be filled. Now what we are going to do is simply get the private key of the WSO2 WSAS in unencrypted format and add that in to Wireshark which will help to decrypt the messages.
  7. Give the keystore file path which is WSAS_HOME/resources/security/wso2carbon.jks, and the password will be wso2carbon, The add private Key and Certificate Chain file locations to the place where you want to store the private key. And make sure you put the file type as PEM in last two fields.
  8. After pressing OK you will ask to select the select Keypair trust among a list, select the entry you have "wso2carbon" as the alias. Lets assume the output private key file path is /home/lahiru/client/fhlb/wso2is-3.0.1/resources/security/private.pem.
  9. Now you have have the private key of the server in unencrypted format, now go to Edit -> Preferences -> Protocols -> SSL there you will see a field (empty) RSA Key list for that add the following entry. 127.0.0.1,9443,http,/home/lahiru/client/fhlb/wso2is-3.0.1/resources/security/private.pem ,,,private-key-path-of-the-server
  10. Since we are going to monitor traffic in the same machine we are selecting the interface 127.0.0.1 (If your operation system is Windows things will not work out of the box with loop-back address so for window users please refer this[1]). To select the interface go to Capture -> Interfaces there you will see 127.0.0.1 press the start button in 127.0.0.1 interface.
  11. Now you can send two messages to secure and un-secure services then after you get the responses go to Wireshark and add Filter (from the top field with the name filters) http.
  12. Now ideally you should see four entries, request-response messages for two transactions and you will be able to view the content of the secure request-response messages too.
Please refer[3] for further detail about how to decrypt the messages using Wireshark.