How to Get the Cipher Suite List Presented in Wireshark
book
Article ID: 288021
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
How to view the Cipher Suites being presented in Wireshark to confirm matching Ciphers
Environment
- EDR Server: All Versions
- EDR Sensor: All Versions
Resolution
- When capturing the pcap, you will need to restart the sensor services to trigger a new connection attempt and handshake.
- Windows (cmd as admin)
sc stop carbonblack
sc start carbonblack
- Linux (Terminal)
EL6:
sudo service cbdaemon restart
EL7+:
sudo systemctl restart cbdaemon
- macOS (terminal)
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load /Library/LaunchDaemons/com.carbonblack.daemon.plist
- Open the pcap in Wireshark.
- Look for the "Client Hello" packet to the destination IP of the EDR Server and expand
- Expand Under "Transport Layer Security" -->
- Expand"TLSv1.2 Record Layer: Handshake Protocol: Client Hello"
- Expand "Handshake Protocol: Cipher Suites ( 2 )" -- within brackets are number of cipher suites the endpoint presented
- After expand to see the Ciphers being presented by the Endpoint to the EDR server
Feedback
thumb_up
Yes
thumb_down
No