Wireshark and Venafi troubleshooting


This article will cover the obtaining and extracting of a network capture and how to look for some basic settings for at a glance troubleshooting. More in depth testing will be in another article found here:

- Reference url to the furthering handshake troubleshooting

Venafi Filters

  • ip.addr==IP address - Will find IP's listed in either Source or Destination column
  • ip.src==Source IP - Requests coming from this IP address will be displayed
  • ip.dst==Destination IP - Requests going to this IP address will be displayed
  • tcp.port==443 - Filter traffic to one port

Operators to use with Venafi

  • && - And (Port==443 and (&&) IP address==
  • || - OR (Port==443 and (&&) Ip address== or (||) IP address==
  • == - Equals (Port==443)

There are many more operators, these are the ones usually used when troubleshooting Venafi

Examples (In this example I use some Ip's to show you the syntax, make sure you put your own in):

  • tcp.port==443 && ip.addr==
  • ip.src== && ip.dst==

In the examples above you can filter the output to a conversation between two servers, or get all of the traffic on a port for a specific IP address. The filters can be continued beyond this point for further

Areas to look for useful data

Client Hello:

  • -Secure Socket Layer
  • -Record Layer
  • -Version
  • --Handshake Protocol
  • --Cipher Suites
  • --Extensions: Server Name
  • --Server Name Indication Extensions 
  • ---Server Name

Server Hello:

  • -Secure Socket Layer
  • -Record Layer
  • -Version
  • --Handshake Protocol: Server Hello
  • --Cipher Suites
  • --Handshake Protocol: Certificate
  • ---Certificate (Common name here)

Troubleshooting a Protocol related handshake failure can be done by comparing the list of Ciphers in the Cipher suite. 

  1. Look in the Client Hello cipher suite
  2. Look in the Server Hello cipher suite
  3. If there is not a common cipher between the two lists, a handshake error will occur
  4. If it fails it will end the connection shortly after

Because of this it will be a shorter range of packets to look through. Look below for instructions on how to "Follow TCP Stream"

Extracting certificates

  1. Follow Server Hello (Wireshark Section (B.) to Certificate (Common name here))
  2. Right click Certificate
  3. Click "Export Selected Packet Bytes"
  4. Save the file as "Certificate.der" or any filename with .der
  5. You will have the certificate and the chain in the file
  6. Opening the certificate and going to Details, all certificate details are available

Follow TCP Stream

  1. Once you find a Client Hello right click a TCP packet
  2. Select the Option for "Follow TCP Stream"
  3. The filter will change to match the Stream identifier 

Exporting the pcap capture file

  1. After running the capture click the file menu option
  2. Select Save As
  3. Once the file is saved, it can be opened and viewed using the wireshark interface


Was this article helpful?
2 out of 2 found this helpful