What do you look for with WireShark for TLS issues?
book
Article ID: 284987
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Show More
Show Less
Issue/Introduction
What do you look for with WireShark for TLS issues?
Environment
• Carbon Black Cloud Sensor: All Versions • WireShark
Resolution
Open your PCAP.
Locate communication between client and CBC, use the Configuration Guide link from the firewall port KB below to help determine the CBC sites.
tls.handshake && tls.handshake.extensions_server_name == "dev-prod05.conferdeploy.net"
tls.handshake && tls.handshake.extensions_server_name == "updates2.cdc.carbonblack.io"
tls.handshake && tls.handshake.extensions_server_name == "content.carbonblack.io"
ssl.handshake.type && (tls.handshake.extensions_server_name contains "conferdeploy.net" || tls.handshake.extensions_server_name contains "carbonblack.io")
Use 'Follow Stream' in the Conversations dialog to display that conversation. Dismiss the 'raw data' display that pops up; we won't need that for what we're doing. "Analyze\Follow\TCP Stream"
Highlight the 'Client Hello' packet in the top pane of the display - the list of cipher suites offered by the client can be expanded
Compare results to this KB SSL cipher suites that are supported/accepted for communications
If no Cipher Suite matches then the communication can not happen, please add a Cipher Suite and test.
Additional Information
To force communication with content.carbonblack.io use the below command.
./repcli manifest cloudrefresh
Feedback
thumb_up
Yes
thumb_down
No