Environment
• Carbon Black Cloud Sensor: All Versions
• WireShark
Objective
What do you look for with WireShark for TLS issues?
Resolution
- Open your PCAP.
- Locate communication between client and CBC, use the Configuration Guide link from the firewall port KB below to help determine the CBC sites.
- tls.handshake && tls.handshake.extensions_server_name == "dev-prod05.conferdeploy.net"
- tls.handshake && tls.handshake.extensions_server_name == "updates2.cdc.carbonblack.io"
- tls.handshake && tls.handshake.extensions_server_name == "content.carbonblack.io"
- Use 'Follow Stream' in the Conversations dialog to display that conversation. Dismiss the 'raw data' display that pops up; we won't need that for what we're doing. "Analyze\Follow\TCP Stream"
- Highlight the 'Client Hello' packet in the top pane of the display - the list of cipher suites offered by the client can be expanded
- Compare results to this KB Carbon Black Cloud: What SSL cipher suites are supported/accepted for communications?
- If no Cipher Suite matches then the communication can not happen, please add a Cipher Suite and test.
Additional Notes
To force communication with content.carbonblack.io use the below command.
./repcli manifest cloudrefresh
Related Content
