About
This article will cover the obtaining and extracting of a network capture and how to look for some basic settings for at a glance troubleshooting. More in depth testing will be in another article found here:
- Reference url to the furthering handshake troubleshooting
Venafi Filters
- ip.addr==IP address - Will find IP's listed in either Source or Destination column
- ip.src==Source IP - Requests coming from this IP address will be displayed
- ip.dst==Destination IP - Requests going to this IP address will be displayed
- tcp.port==443 - Filter traffic to one port
Operators to use with Venafi
- && - And (Port==443 and (&&) IP address==192.168.1.1)
- || - OR (Port==443 and (&&) Ip address==192.168.1.1 or (||) IP address==192.168.1.2)
- == - Equals (Port==443)
There are many more operators, these are the ones usually used when troubleshooting Venafi
Examples (In this example I use some Ip's to show you the syntax, make sure you put your own in):
- tcp.port==443 && ip.addr==192.168.0.1
- ip.src==192.168.132.151 && ip.dst==192.168.132.1
In the examples above you can filter the output to a conversation between two servers, or get all of the traffic on a port for a specific IP address. The filters can be continued beyond this point for further
Areas to look for useful data
Client Hello:
- -Secure Socket Layer
- -Record Layer
- -Version
- --Handshake Protocol
- --Cipher Suites
- --Extensions: Server Name
- --Server Name Indication Extensions
- ---Server Name
Server Hello:
- -Secure Socket Layer
- -Record Layer
- -Version
- --Handshake Protocol: Server Hello
- --Cipher Suites
- --Handshake Protocol: Certificate
- ---Certificate (Common name here)
Troubleshooting a Protocol related handshake failure can be done by comparing the list of Ciphers in the Cipher suite.
- Look in the Client Hello cipher suite
- Look in the Server Hello cipher suite
- If there is not a common cipher between the two lists, a handshake error will occur
- If it fails it will end the connection shortly after
Because of this it will be a shorter range of packets to look through. Look below for instructions on how to "Follow TCP Stream"
Extracting certificates
- Follow Server Hello (Wireshark Section (B.) to Certificate (Common name here))
- Right click Certificate
- Click "Export Selected Packet Bytes"
- Save the file as "Certificate.der" or any filename with .der
- You will have the certificate and the chain in the file
- Opening the certificate and going to Details, all certificate details are available
Follow TCP Stream
- Once you find a Client Hello right click a TCP packet
- Select the Option for "Follow TCP Stream"
- The filter will change to match the Stream identifier
Exporting the pcap capture file
- After running the capture click the file menu option
- Select Save As
- Once the file is saved, it can be opened and viewed using the wireshark interface
Comments