Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Hypertext Transfer Protocol Secure (HTTPS) traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture HTTPS Traffic

edit

To capture HTTPS traffic:

  1. Open a new web browser window or tab.
  2. Start a Wireshark capture.
  3. Navigate to https://en.wikiversity.org.
  4. Stop the Wireshark capture.
  5. Close the web browser window or tab.

Activity 2 - Select Destination Traffic

edit

To select destination traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS traffic, type ssl (lower case) in the Filter box and press Enter.
  2. Select the first TLS packet labeled Client Hello.
  3. Observe the destination IP address.
  4. To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the HTTP packet.

Activity 3 - Analyze TCP Connection Traffic

edit

To analyze TCP connection traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the IP address of the HTTPS server.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is a dynamic port selected for this HTTPS connection.
  10. Observe the Destination port. Notice that it is https (443). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.

Activity 4 - Analyze SSL/TLS Client Hello Traffic

edit

To analyze SSL/TLS connection traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the first TLS packet, labeled Client Hello.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Secure Sockets Layer frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
  4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
  5. Observe the Cipher Suites and Extensions supported.
  6. Observe the traffic captured in the top Wireshark packet list pane.
  7. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the Client Hello request.

Activity 5 - Analyze SSL/TLS Server Hello Traffic

edit

To analyze SSL/TLS Server Hello traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the second TLS packet, labeled Server Hello.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
  5. Observe the Cipher Suites and Extensions supported.

Activity 6 - Analyze SSL/TLS Certificate Traffic

edit

To analyze SSL/TLS Certificate traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello Done.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view SSL/TLS details.
  5. Observe the certificate information provided.
  6. Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the public key and signature. The client uses the certificate to validate the public key and signature.
  7. Observe the traffic captured in the top Wireshark packet list pane.
  8. Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement of <receiving the Server Hello and Certificate responses.

Activity 7 - Analyze SSL/TLS Client Key Exchange Traffic

edit

To analyze SSL/TLS Client Key Exchange traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake Message to view SSL/TLS details.
  5. Observe the encrypted handshake message. This encrypted handshake contains the session key that will be used to encrypt session traffic.

Activity 8 - Analyze SSL/TLS New Session Ticket Traffic

edit

To analyze SSL/TLS New Session Ticket traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the TLS packet labeled New Session Ticket ....
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and Encrypted Handshake Message to view SSL/TLS details.
  5. Observe the encrypted handshake message. This is the server confirming the encrypted session.

Activity 9 - Analyze HTTPS Encrypted Data Exchange

edit

To analyze HTTPS encrypted data exchange:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the various TLS packets labeled Application Data.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer and TLS to view SSL/TLS details.
  5. Observe the encrypted application data. Notice that the application data protocol is http.
  6. Observe the data in the bottom Wireshark packet bytes pane. Notice that the application data is encrypted.
  7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit