Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Get the Cipher Suite List Presented in Wireshark

EDR: How to Get the Cipher Suite List Presented in Wireshark


  • EDR Server: All Versions
  • EDR Sensor: All Versions


How to view the Cipher Suites being presented in Wireshark to confirm matching Ciphers


  1. When capturing the pcap, you will need to restart the sensor services to trigger a new connection attempt and handshake. 
    • Windows (cmd as admin)
      sc stop carbonblack
      sc start carbonblack
    • Linux (Terminal)
      sudo service cbdaemon restart
      sudo systemctl restart cbdaemon
    • macOS (terminal)
      sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
      sudo launchctl load /Library/LaunchDaemons/com.carbonblack.daemon.plist
  2. Open the pcap in Wireshark.
  3. Look for the "Client Hello" packet to the destination IP of the EDR Server and expand
    • Expand Under "Transport Layer Security" -->
    • Expand"TLSv1.2 Record Layer: Handshake Protocol: Client Hello"
    • Expand "Handshake Protocol: Cipher Suites ( 2 )" -- within brackets are number of cipher suites the endpoint presented
    • After expand to see the Ciphers being presented by the Endpoint to the EDR server

Related Content

Labels (2)
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: