What do you look for with WireShark for TLS issues?
search cancel

What do you look for with WireShark for TLS issues?

book

Article ID: 284987

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

What do you look for with WireShark for TLS issues?

Environment

    • Carbon Black Cloud Sensor: All Versions
    • WireShark

Resolution

  1. Open your PCAP.
  2. Locate communication between client and CBC, use the Configuration Guide link from the firewall port KB below to help determine the CBC sites. 
    • tls.handshake && tls.handshake.extensions_server_name == "dev-prod05.conferdeploy.net"
    • tls.handshake && tls.handshake.extensions_server_name == "updates2.cdc.carbonblack.io"
    • tls.handshake && tls.handshake.extensions_server_name == "content.carbonblack.io"
    • ssl.handshake.type && (tls.handshake.extensions_server_name contains "conferdeploy.net" || tls.handshake.extensions_server_name contains "carbonblack.io")
  3. Use 'Follow Stream' in the Conversations dialog to display that conversation. Dismiss the 'raw data' display that pops up; we won't need that for what we're doing. "Analyze\Follow\TCP Stream"
  4. Highlight the 'Client Hello' packet in the top pane of the display - the list of cipher suites offered by the client can be expanded
  5. Compare results to this KB SSL cipher suites that are supported/accepted for communications
  6. If no Cipher Suite matches then the communication can not happen, please add a Cipher Suite and test.

Additional Information

To force communication with content.carbonblack.io use the below command. 
./repcli manifest cloudrefresh