• Carbon Black Cloud Sensor: All Versions
What do you look for with WireShark for TLS issues?
- Open your PCAP.
- Locate communication between client and CBC, use the Configuration Guide link from the firewall port KB below to help determine the CBC sites.
- Use 'Follow Stream' in the Conversations dialog to display that conversation. Dismiss the 'raw data' display that pops up; we won't need that for what we're doing. "Analyze\Follow\TCP Stream"
- Highlight the 'Client Hello' packet in the top pane of the display - the list of cipher suites offered by the client can be expanded
- Compare results to this KB Carbon Black Cloud: What SSL cipher suites are supported/accepted for communications?
- If no Cipher Suite matches then the communication can not happen, please add a Cipher Suite and test.