Wireshark SSL Lab

CS 4445

David Avery, JR

In this lab, we’ll investigate the Secure Sockets Layer (SSL) protocol, focusing on the SSL records sent over a TCP connection. We’ll do so by analyzing a trace of the SSL records sent between your host and an e-commerce server. We’ll investigate the various SSL record types as well as the fields in the SSL messages.

Please submit your answers in the same Microsoft Word document as your week 3 chapter solutions if possible.

1. Capturing packets in an SSL session

The first step is to capture the packets in an SSL session. To do this, you should go to your favorite e-commerce site and begin the process of purchasing an item (but terminating before making the actual purpose!). After capturing the packets with Wireshark, you should set the filter so that it displays only the Ethernet frames that contain SSL records sent from and received by your host. (An SSL record is the same thing as an SSL message.)

The correct filter for SSL/TLS please use ssl.record.content_type == 22.

2. A look at the captured trace

Your Wireshark GUI should be displaying only the Ethernet frames that have SSL records. It is important to keep in mind that an Ethernet frame may contain one or more SSL records. (This is very different from HTTP, for which each frame contains either one complete HTTP message or a portion of a HTTP message.) Also, an SSL record may not completely fit into an Ethernet frame, in which case multiple frames will be needed to carry the record.

Wireshark Lab: Please answer questions 1-2

1. What is the first step in the HTTPS communication handshake?

2. How can you configure Wireshark to always recognize port 444 as an SSL/TLS port?

pur-new-sol

Related Questions