IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: How to Get the Cipher Suite List Presented in Wireshark

EDR: How to Get the Cipher Suite List Presented in Wireshark

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions

Objective

How to view the Cipher Suites being presented in Wireshark to confirm matching Ciphers

Resolution

  1. When capturing the pcap, you will need to restart the sensor services to trigger a new connection attempt and handshake. 
    • Windows (cmd as admin)
      sc stop carbonblack
      sc start carbonblack
    • Linux (Terminal)
      EL6: 
      sudo service cbdaemon restart
      
      EL7+: 
      sudo systemctl restart cbdaemon
    • macOS (terminal)
      sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
      sudo launchctl load /Library/LaunchDaemons/com.carbonblack.daemon.plist
  2. Open the pcap in Wireshark.
  3. Look for the "Client Hello" packet to the destination IP of the EDR Server and expand
    • Expand Under "Transport Layer Security" -->
    • Expand"TLSv1.2 Record Layer: Handshake Protocol: Client Hello"
    • Expand "Handshake Protocol: Cipher Suites ( 2 )" -- within brackets are number of cipher suites the endpoint presented
    • After expand to see the Ciphers being presented by the Endpoint to the EDR server

Related Content


Labels (2)
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-04-2023
Views:
3125
Contributors