Troubleshooting with WireShark

From time to time it is necessary to debug on network traffic flow.
Necessary in troubleshooting scenarios, but also when you need to understand a given traffic flow.

This post shows some tips that can by used in Wireshark.

When analyzing SSL encrypted traffic, you would need to load the private key into Wireshark. Keep in mind that SSL traffic need to be using RSA cipher/keys in order for Wireshark to be able to decrypt, if traffic is encrypted with ECDHE / Elliptic curve diffie-hellman, wireshark would not be able to decrypt.

Note. When starting network trace, the SSL handshake needs to be captured, so SSL Session Reuse might need to be disabled temporarily on the server side if in use.

https://www.wireshark.org/download.html

How to decrypt SSL traffic in Wireshark

Go to Preferences>Protocols and select “SSL”

Select to edit RSA Keys and input following
(Load the PFX or Key file and insert password)

Filters in Wireshark

In order to filter out specific traffic data in trace, following filters could be used.

Add extra column based on Delta Time

This can come out handy if you need to see the response time between requests in the trace.

 

Analyze SSL/TLS Conversion

ssl.handshake.type == 1 provides SSL Client Hello message.
ssl.handshake.type == 2 provides SSL Server Hello + Certificate and key exchange message.

Put in both with an OR operator and go to Statistics>Conversations:

Filter:

ssl.handshake.type == 1 || ssl.handshake.type == 2

 

 

Analyze HTTP Request Response time

Analyzing response times on HTTP Requests with IO Graph.

Configure following filters:

 

 

 

Analyze DNS Response time

DNS traffic natively supplies the time in seconds in the DNS response.

Filter on DNS traffic.

 

Right Click Time in the DNS Response and select Apply as column in Wireshark. Then dns.time will be applied:

 

 

 

Go to Statistics>IO Graphs and configure as following: