 | 1 | initial version |
Seems the PPP frames are pre-pended by a header of 0xf5 and 3 bytes with the length of the PPP frame. My guess is that this a custom format used by F5. So to be able to decode the PPP frames in Wireshark, a dissector needs to be written that takes the decrypted TLS data, decodes the custom header and then passes the remaining data to the PPP dissector. Also some logic must be added that it does this only for traffic that started of with the HTTP request/response for setting up the SSL-VPN tunnel.
A quick-and-dirty Lua post-dissector script might do the job if you don't care about false positives and just want the PPP frames decoded.
