Network fault finding and Wireshark

-Analysing SSL/TLS-

Student: Supervisor:
Alexandru Hera Kurt Stæcker Jensen
 Table of Contents

The Network
Wireshark
SSL/TLS
Load trace
Inspect the trace
The SSL Handshake
Hello Messages
Certificate messages
Client Key Exchange and Change Cipher Messages
Alert Message
Conclusion
Bibliography
The Network
Given the nature of today’s networks, we can find many businesses relying on networked
services and resources, ranging from the usual user internet connection and the network
printer to much more sophisticated applications such as clustered networked computing,
cloud storage and so on. Obviously by increasing the number of applications and services
that we use in the network, so does the number of possible errors and failures are more
likely to occur.

In many cases, having over 99% service uptime is a top priority for many enterprises, and
we can see that in the last couple of years, being the “network guy” in a company is simply
not enough. A clear example is in the Cisco Certification for Network Professionals (CCNP)
which is now at version 2.0 and it’s divided into three sections, the Routing, the Switching,
and of course the Troubleshooting.

Analysing the traffic has also became an important aspect in enterprise networks. It can
capture packets and, if needed, decodes the packet's raw data, showing the values of
various fields in the packet, and analyzes its content according to the appropriate RFC or
other specifications.

Wireshark
Originally known as Ethereal, the project got renamed Wireshark in May 2006 due to
trademark issues. Wireshark is a free and open-source packet analyzer, used for network
troubleshooting, analysis, software and communications protocol development, and
education.

Wireshark will typically display information in three panels. The top panel lists frames
individually with key data on a single line. Any single frame selected in the top pane is
further explained in the tool's middle panel. In this section of the display, Wireshark shows
packet details, illustrating how various aspects of the frame can be understood as
belonging to the data link layer, network layer, transport layer application layer. Finally,
Wireshark's bottom pane displays the raw frame, with a hexadecimal rendition on the left
and the corresponding ASCII values on the right.
Because Wireshark can also be used for eavesdropping, an organization using the tool
should make sure it has a clearly defined privacy policy that spells out the rights of
individuals using its network, grants permission to sniff traffic for security and
troubleshooting issues and states the organization's policies for obtaining, analyzing and
retaining network traffic samples.

SSL/TLS
The main object of this report is to observe the SSL/TLS (Secure Sockets Layer / Transport
Layer Security) in action. SSL/TLS is used to secure TCP connections, and it is widely used as
part of the secure web: HTTPS is SSL over HTTP.

Load trace
Usually the first step in every Wireshark analysis would be to either start a live capture on a
specific interface, or to supply a Wireshark trace file.
For the purpose of analysing the SSL protocol, I have supplied a saved trace file.

Inspect the trace

Now that trace is loaded in Wireshark we are ready to look at the details of some “SSL”
messages. To begin, we can take advantage of the software capabilities and apply a
display-filter of “ssl”.
This filter will help to simplify the display by showing only SSL and TLS messages. It will
exclude other TCP segments that are part of the trace, such as Acks and connection
open/close.

Moving forward we can select a TLS message somewhere in the middle of the trace for
which the Info reads “Application Data”, and expand its Secure Sockets Layer block (by
using the “+” expander or icon). Application Data is a generic TLS message carrying
contents for the application, such as the web page. It is a good place for us to start looking
at TLS messages.
Looking at the protocol blocks and fields in the message we immediately take notice of the
followings:

❖ The lower layer protocol blocks are TCP and IP because SSL runs on top of TCP/IP.
 ❖ The SSL layer contains a “TLS Record Layer”. This is the foundational sublayer for
TLS. All messages contain records.
❖ Each record starts with a Content Type field. This tells us what is in the contents of
the record.
❖ Then comes a Version identifier. It will be a constant value for the SSL connection.
❖ It is followed by a Length field giving the length of the record.
❖ Last comes the contents of the record. Application Data records are sent after SSL
has secured the connection, so the contents will show up as encrypted data.

In order to show my understanding of the SSL records I will provide a series of analysis
questions, that will have their respective answers in the exam presentation.

1. What is the Content-Type for a record containing “Application Data”?

2. What version constant is used in the trace, and which version of TLS does it represent?

3. Does the Length cover the Record Layer header as well as payload, or only the payload?

The SSL Handshake

An important part of SSL is the initial handshake that establishes a secure connection. The
handshake proceeds in several phases. There are slight differences for different versions of
TLS and depending on the encryption scheme that is in use. The usual outline for a brand
new connection is:

❖ Client (the browser) and Server (the web server) both send their Hellos
❖ Server sends its certificate to Client to authenticate (and optionally asks for Client
Certificate)
❖ Client sends keying information and signals a switch to encrypted data.
❖ Server signals a switch to encrypted data.
❖ Both Client and Server send encrypted data.
❖ An Alert is used to tell the other party that the connection is closing.
Hello Messages
We inspect the details of the Client Hello and Server Hello messages, including expanding
the Handshake protocol block within the TLS Record. For these initial messages, an
encryption scheme is not yet established so the contents of the record are visible to us.
They contain details of the secure connection setup in a Handshake protocol format.

4. How long in bytes is the random data in the Hellos? Both the Client and Server include this
random data (a nonce) to allow the establishment of session keys.

5. How long in bytes is the session identifier sent by the server? This identifier allows later
resumption of the session with an abbreviated handshake when both the client and server
indicate the same value.

6. What Cipher method is chosen by the Server? The Client will list the different cipher methods it
supports, and the Server will pick one of these methods to use.

Certificate messages
Next we inspect the details of the Certificate message, including expanding the Handshake
protocol block within the TLS Record. As with the Hellos, the contents of the Certificate
message are visible because an encryption scheme is not yet established.

7. Who sends the Certificate, the client, the server, or both? A certificate is sent by one party to let
the other party authenticate that it is who it claims to be.

Client Key Exchange and Change Cipher Messages

The key exchange message is sent to pass keying information so that both sides will have
the same secret session key. The change cipher message signal a switch to a new
encryption scheme to the other party. This means that it is the last unencrypted message
sent by the party.

8. At the Record Layer, what Content-Type values are used to indicate each of these messages?

9. Who sends the Change Cipher Spec message, the client, the server, or both?

10. What are the contents carried inside the Change Cipher Spec message?
Alert Message
Finally, we find and inspect the details of an Alert message at the end of the trace. The Alert
message is sent to signal a condition, such as notification that one party is closing the
connection.

11. At the Record Layer, what Content-Type value is used to signal an alert?

12. Are the contents of the alert encrypted or sent in the clear?

Conclusion
Besides the lack of technical support, Wireshark incorporates many functions and
capabilities, such as the powerful filter and macro systems, the ability to read/write a large
number of capture formats, the highly useful Expert Info function and the list goes on. All
of these traits, along with one of the friendliest GUIs available in advanced networking
utilities reflect in its large, enthusiastic community and classify Wireshark as one of the
current industry standards.

Bibliography

Chappell, Laura A. Wireshark 101: Essential Skills for Network Analysis. San Jose, CA: Protocol

Analysis Institute, Chapell University, 2013. Print.

“Wikipedia.” Wikipedia. Web. 9 Nov. 2015. <http://www.wikipedia.com/>