EDR: How to Get the Cipher Suite List Presented in Wireshark
search cancel

EDR: How to Get the Cipher Suite List Presented in Wireshark

book

Article ID: 288021

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

How to view the Cipher Suites being presented in Wireshark to confirm matching Ciphers

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions

Resolution

  1. When capturing the pcap, you will need to restart the sensor services to trigger a new connection attempt and handshake. 
    • Windows (cmd as admin) 
      sc stop carbonblack
sc start carbonblack
    • Linux (Terminal) 
      EL6: 
sudo service cbdaemon restart

EL7+: 
sudo systemctl restart cbdaemon
    • macOS (terminal) 
      sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load /Library/LaunchDaemons/com.carbonblack.daemon.plist
  2. Open the pcap in Wireshark.
  3. Look for the "Client Hello" packet to the destination IP of the EDR Server and expand
    • Expand Under "Transport Layer Security" -->
    • Expand"TLSv1.2 Record Layer: Handshake Protocol: Client Hello"
    • Expand "Handshake Protocol: Cipher Suites ( 2 )" -- within brackets are number of cipher suites the endpoint presented
    • After expand to see the Ciphers being presented by the Endpoint to the EDR server
Powered by Wolken Software