TLSISSL Lab Discussion Using Wireshark, capture a visit from your browser to a website supporting https. Analyze the packets captured following the eight steps below. In the discussion forum for Module 4, start a thread for your post and report on the following: In step 4 for Server Hello, what did you observe for Cipher Suites and Extensions? In step 5 for Certificate Traffic, what did you observe for the certificate information, as well as the public key and signature? Add one other observation from the packets you captured that you found interesting or weren't sure how to interpret. If someone else has posted a question with their report thread that you can answer, please add a response to their report. 1. Select Destination Traffic Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS traffic, type ssl (lower case) in the Filter box and press Enter Select the first TLS packet labeled Client Hello. Observe the destination IP address To view all related traffic for this connection, change the filter to ip addr destination, where destination is the destination address of the HTTP packet. 2. Analyze TCP Connection Traffic Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYNACK, TCP ACK) are the TCP three way handshake. Select the first packet Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame. Expand Ethernet II to view Ethernet details Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm. Expand Internet Protocol Version 4 to view IP details Observe the Source address. Notice that the source address is your IP address. Observe the Destination address. Notice that the destination address is the IP address of the HTTPS server Expand Transmission Control Protocol to view TCP details. Observe the Source port. Notice that it is a dynamic port selected for this HTTPS connection Observe the Destination port. Notice that it is https (443). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers. 3. Analyze SSL/TLS Client Hello Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the first TLS packet, labeled Client Hello. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol /Secure Sockets Layer frame. Also notice that the Ethernet II. Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed above. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details. Observe the Cipher Suites and Extensions supported Observe the traffic captured in the top Wireshark packet list pane. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the Client Hello request. 4. Analyze SSL/TLS Server Hello Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the second TLS packet, labeled Server Hello Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details Observe the Cipher Suites and Extensions supported. 5. Analyze SSL/TLS Certificate Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello Done. Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view SSL/TLS details. Observe the certificate information provided Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the public key and signature. The client uses the certificate to validate the public key and signature. Observe the traffic captured in the top Wireshark packet list pane. Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Server Hello and Certificate responses 6. Analyze SSLITLS Client Key Exchange Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spee, Encrypted Handshake Message Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake Message to view SSL/TLS details. Observe the encrypted handshake message. This encrypted handshake contains the session key that will be used to encrypt session traffic 7. Analyze SSL/TLS New Session Ticket Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the TLS packet labeled New Session Ticket. Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and Encrypted. Handshake Message to view SSL/TLS details. Observe the encrypted handshake message. This is the server confirming the encrypted session. 8. Analyze HTTPS Encrypted Data Exchange Observe the traffic captured in the top Wireshark packet list pane. Select the various TLS packets labeled Application Data. Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer and TLS to view SSL/TLS details Observe the encrypted application data. Notice that the application data protocol is http. Observe the data in the bottom Wireshark packet bytes pane. Notice that the application data is encrypted. TLSISSL Lab Discussion Using Wireshark, capture a visit from your browser to a website supporting https. Analyze the packets captured following the eight steps below. In the discussion forum for Module 4, start a thread for your post and report on the following: In step 4 for Server Hello, what did you observe for Cipher Suites and Extensions? In step 5 for Certificate Traffic, what did you observe for the certificate information, as well as the public key and signature? Add one other observation from the packets you captured that you found interesting or weren't sure how to interpret. If someone else has posted a question with their report thread that you can answer, please add a response to their report. 1. Select Destination Traffic Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS traffic, type ssl (lower case) in the Filter box and press Enter Select the first TLS packet labeled Client Hello. Observe the destination IP address To view all related traffic for this connection, change the filter to ip addr destination, where destination is the destination address of the HTTP packet. 2. Analyze TCP Connection Traffic Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYNACK, TCP ACK) are the TCP three way handshake. Select the first packet Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame. Expand Ethernet II to view Ethernet details Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm. Expand Internet Protocol Version 4 to view IP details Observe the Source address. Notice that the source address is your IP address. Observe the Destination address. Notice that the destination address is the IP address of the HTTPS server Expand Transmission Control Protocol to view TCP details. Observe the Source port. Notice that it is a dynamic port selected for this HTTPS connection Observe the Destination port. Notice that it is https (443). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers. 3. Analyze SSL/TLS Client Hello Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the first TLS packet, labeled Client Hello. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol /Secure Sockets Layer frame. Also notice that the Ethernet II. Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed above. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details. Observe the Cipher Suites and Extensions supported Observe the traffic captured in the top Wireshark packet list pane. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the Client Hello request. 4. Analyze SSL/TLS Server Hello Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the second TLS packet, labeled Server Hello Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details Observe the Cipher Suites and Extensions supported. 5. Analyze SSL/TLS Certificate Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello Done. Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view SSL/TLS details. Observe the certificate information provided Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the public key and signature. The client uses the certificate to validate the public key and signature. Observe the traffic captured in the top Wireshark packet list pane. Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Server Hello and Certificate responses 6. Analyze SSLITLS Client Key Exchange Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spee, Encrypted Handshake Message Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake Message to view SSL/TLS details. Observe the encrypted handshake message. This encrypted handshake contains the session key that will be used to encrypt session traffic 7. Analyze SSL/TLS New Session Ticket Traffic Observe the traffic captured in the top Wireshark packet list pane. Select the TLS packet labeled New Session Ticket. Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and Encrypted. Handshake Message to view SSL/TLS details. Observe the encrypted handshake message. This is the server confirming the encrypted session. 8. Analyze HTTPS Encrypted Data Exchange Observe the traffic captured in the top Wireshark packet list pane. Select the various TLS packets labeled Application Data. Observe the packet details in the middle Wireshark packet details pane. Expand Secure Sockets Layer and TLS to view SSL/TLS details Observe the encrypted application data. Notice that the application data protocol is http. Observe the data in the bottom Wireshark packet bytes pane. Notice that the application data is encrypted