Environment
- Carbon Black Cloud Sensor: All Versions
- WireShark
Objective
How to confirm content filtering or SSL Inspection is involved with Communication
Resolution
- Open your PCAP.
- Locate communication between client and CBC, use the Configuration Guide link from the firewall port KB below to help determine the CBC sites.
- tls.handshake && tls.handshake.extensions_server_name == "dev-prod05.conferdeploy.net"
- tls.handshake && tls.handshake.extensions_server_name == "updates2.cdc.carbonblack.io"
- tls.handshake && tls.handshake.extensions_server_name == "content.carbonblack.io"
- Use 'Follow Stream' 'TCP' in the Conversations dialog to display that conversation. Dismiss the 'raw data' display that pops up; we won't need that for what we're doing. "Analyze\Follow\TCP Stream"
- Highlight the 'Certificate' packet in the top pane of the display in the Info column.
- Review the Transport Layer Security section and look for highlighted data, if it is highlighted it means there is an error you can drill into.
- To see the signer of the Certificate drill down into Transport Layer Security \Handshake Protocol\Certificates\Certificate:...\signedCertificate\Issuer
- Review the content for the RDNSequence to see if it matches expectations.
Additional Notes
Firewalls and proxies can both do SSL Inspection, when a device intercepts our packet and provides its own it may interfere with the validation of or product, manifest or signature files.
Related Content