Wireshark class 4.3 - How to analyze a packet capture Certificates & TLS Encryption Troubleshooting
Wireshark class 4.3 - How to analyze a packet capture - Certificates and TLS Encryption Troubleshooting
This video is a good intro how to analyze a packet capture file or pcap, step by step. Learn to export certificates from pcap files.
In this case we are troubleshooting TLS connections with emphasis on certificates. There are even some tips and tricks for people that already know Wireshark. #wireshark #pcap #TLS
BONUS Wireshark filter cheat sheet.
www.lanwan.ninja/wp-content/u...
TLS troubleshooting filter:
((tls.record.content_type || tls.handshake.type || tls.alert_message.level) && tls.record.content_type !=23)
Powershell used in video - Pinned comment.
There are two scenarios in this video:
1. We have an internal application that is having an issue, when users click on the application they get an error that says "Server not responding" but all is not as it seems. The error log file is not helpful either. After a chat with the apps team, you decide to take a capture.
2. We have an application that is working for five people, but not for 2 people, when they click on the app, they are getting a connection error. You call the application vendor, and they tell you it is your firewall. You do not agree with them, so you decide to take a packet capture.
The apps team has an application server that is making an encrypted TLS connection to a web server. They have called the software vendor and they say that the problem is on our end, their application is workign fine. All that the log files will show us are generic "failure" errors. This one happens more than you think.
So let's take a packet capture and get this issue figured out!!
If you have any questions or ideas for future videos, please leave a comment and let me know.
Timestamps:
00:00 Start
0:37 Certificates
1:53 Why trust a certificate
2:02 What is a Certificate Authority
2:24 Waht is a trusted Root CA
3:03 Exporting a cert from a browser
3:55 View trusted Root CAs in Windows
5:09 Scenario #1 start
5:29 NMAP scan
6:45 Mark a running capture with a ping
8:40 Using TLS troubleshooting filter
10:01 Follow TCP stream
12:43 Exporting a cert from a packet capture
15:20 Security Tip - hacking :) at the end
17:44 Updating Trusted Root CAs with Powershell
Powershell commands used: md /temp cd /temp Certutil.exe -generateSSTFromWU roots.sst $sstStore = ( Get-ChildItem -Path c:\temp oots.sst ) $sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
Wow! Very informative. I've seen a bunch of vides but not as detailed and easy to understand as yours. I will be referencing these from here on out. Thanks for videos!
Thanks so much! I appreciate it!
Nice tutorial. Thats a handy command to update the root certs. My certs went from 52 to 485 !
That's great to hear! And thanks.
Very informative and well structured video! Good explanations on how to use wireshark - tinkered around a bit, but never got, what I was looking for I went from 68 certs to 490 :D
Thank you!! And great to hear on the cert numbers!
Wow that is some analyses you do there. I will use wireshark as well, having sime weird issues with Pfsense, one virtualized and a normal pfsense, they both work great separately, only the virtualized one, doesn't let me write things to my server, or it writes something but very slow. Reading goes blisteringly fast a very weird issue, i can ping everything fine, in both cases the same vlans are used, anyway i will find it with wireshark.
Thanks!! Yeah, I can't tell you how many times I have looked at an issue and thought one thing and then the packets said something else. That sounds like that kind of issue.