This article will explain how to use wireshark to capture TCP/IPpackets. Specifically I will show how to capture encrypted (HTTPS)packets and attempt to document the 'dance' a client and server do tobuild an SSL tunnel.
What is Wireshark?
Wireshark is a network protocol analyzer for Windows, OSX, and Linux. Itlets you capture and interactively browse the traffic running on acomputer network. Similar software includes tcpdump on Linux.
Install Wireshark
Download the latest version of Wireshark for Mac for free. Read 25 user reviews and compare with similar apps on MacUpdate. Download WireShark for Mac - A free and open-source network protocol protocol analyzer that enables you to capture the network traffic and analyze it in detail.
First step, acquire Wireshark for your operating system.
Ubuntu Linux:sudo apt-get install wireshark
Windows or Mac OSX: search for wireshark and download the binary.
How to capture packets
This is Wireshark's main menu:
To start a capture, click the following icon:
A new dialog box should have appeared. Click start on your preferredinterface:
You are now capturing packets. The packet information is displayed inthe table below the main menu:
Now browse to an HTTPS website with your browser. I went tohttps://linkpeek.com and after the page completely loaded, I stopped theWireshark capture:
Depending on your network, you could have just captured MANY packets. Tolimit our view to only interesting packets you may apply a filter.Filter the captured packets by ssl and hit Apply:
Now we should be only looking at SSL packets.
Next we will analyze the SSL packets and answer a few questions
1. For each of the first 8 Ethernet frames, specify the source ofthe frame (client or server), determine the number of SSL records thatare included in the frame, and list the SSL record types that areincluded in the frame. Draw a timing diagram between client and server,with one arrow for each SSL record.
Frame 1 client | 1 record | Arrival Time: Feb 15, 201215:38:55.601588000
Frame 2 server | 1 record | Arrival Time: Feb 15, 201215:38:55.688170000
Frame 3 server | 2 record | Arrival Time: Feb 15, 201215:38:55.688628000
Frame 4 client | 3 record | Arrival Time: Feb 15, 201215:38:55.697705000
frame 5 server | 2 record | Arrival Time: Feb 15, 201215:38:55.713139000
frame 6 client | 1 record | Arrival Time: Feb 15, 201215:38:55.713347000
frame 7 server | 0 record | Arrival Time: Feb 15, 201215:38:55.713753000
frame 8 server | 1 record | Arrival Time: Feb 15, 201215:38:55.715003000
2. Each of the SSL records begins with the same three fields (withpossibly different values). One of these fields is “content type” andhas length of one byte. List all three fields and their lengths.
Each hexadecimal digit (also called a 'nibble') represents four binarydigits (bits) so each pair of hexadecimal digits equals 1 byte.
a. Destination mac address | 6 btyes | 00 21 9b 31 99 51
c. Type: IP | 2 byte | 08 00
ClientHello Records
3.Expand the ClientHello record. (If your trace containsmultiple ClientHello
records, expand the frame that contains the first one.) What is thevalue of the
hex: 16 (16+6=22) Handshake
4. Does the ClientHello record advertise the cipher suites itsupports? If so, in the first listed suite, what are the public-keyalgorithm, the symmetric-key algorithm, and the hash algorithm?
ServertHello Records
5. Look to the ServerHello packet. What cipher suite does itchoose?
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
6. Does this record include a nonce? If so, how long is it? Whatis the purpose of the
Yes, 28 bytes. The ClientHello packet also generated a nonces. Theyare used to make the session communication between the two nodesunique. It 'salts' the communication to prevent replay attacks. Areplay attack happens when data from old communications is used to'crack' a current communication.
7.Does this record include a session ID? What is the purpose ofthe session ID?
Yes, This is to make things efficient, in case the client has anyplans of closing the current connection and reconnect in the nearfuture.
Download Wireshark Free
8.How many frames does the SSL certificate take to send?
Looking for a better comment system?
You should try Remarkbox — a hosted comment service that embeds in your pages to keep the conversation in the same place as your content. It works everywhere, even static sites! Download Wireshark Mac
Remarks: How to capture HTTPS SSL TLS packets with wireshark