Course info
Oct 9, 2017
1h 25m

Network engineers, SysAdmins, and Website Administrators can all benefit from a better understanding of the operation of TLS (more commonly called SSL). TLS uses multiple encryption protocols to operate, and negates between many different suites of encryption protocols, called cipher suites. In this course, Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs), you will learn the most secure versions of TLS implementations and ciphers suites, as well as how to identify less than optimal TLS Versions and ciphers in Wireshark. Additionally, you will learn how to capture the session keys in Windows and use the session key to decrypt traffic and extract websites from an encrypted session. By the end of this course, you will have gained better understanding and new methods for troubleshooting with Wireshark.

About the author
About the author

For nearly 20 years, Ross has taught and managed data networks.

More from the author
5G Networks: Executive Briefing
Jun 4, 2019
More courses by Ross Bagurdes
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone, my name is Ross Bagurdes, and welcome to my course Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic. I'm a network engineer with 20 years' experience in IT, supporting enterprise networks and teaching people about them. If you're a techy like me, you're probably curious about TLS encryption or SSL, as it's commonly referred, actually works. Searching Google will typically result in sparse information about TLS encryption, often leading you to false or incomplete information about its operation. In this course, I aim to enhance your understanding of TLS operation by describing the encryption protocols or cipher suites used by TLS. We'll use Wireshark to capture and describe the TLS handshake process, identifying where our encrypted communication begins in TLS. We'll learn how to identify insecure implementations of SSL or TLS, including the use of weak cipher suites. By the end of this course, you'll be able to identify strong and weak implementations of TLS and capture the session keys on your local workstation to decrypt TLS sessions in Wireshark. Before beginning this course, you should be familiar with capturing traffic in Wireshark, the TCP three-way handshake process, and a basic understanding of HTTP communication. I hope you'll join me on this journey to learn about troubleshooting TLS traffic with Wireshark in the Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic course at Pluralsight.

Introducing Transport Layer Security (TLS) Encryption
Welcome to Pluralsight. I'm Ross Bagurdes. In this course, we're going to do troubleshooting with Wireshark. We're going to analyze and decrypt TLS traffic, and we're specifically going to look at how TLS is used in HTTPS communication. In this first module, we're going to introduce Transport Layer Security encryption, or TLS encryption. Our goals for this first module are to look at the SSL and TLS history. Those two terms, SSL and TLS, are typically used interchangeably, even though the official specification for the protocol we use here is TLS. We'll look at what TLS encryption entails, and there's actually three different types of encryption that are occurring when we're using TLS. We'll look at the key exchange process. This is one of the encryption types of TLS. And that key exchange process is a pretty nifty process, and I want to use the explanation of that key exchange process to dispel a bunch of myths about how people think public private key encryption work. We'll take a look at certificates as well in this introductory course and find out what the purpose of these certificates are and how they're used in TLS encryption.

TLS Handshake
Welcome to Pluralsight. I'm Ross Bagurdes. This next module we're going to look at the TLS handshake process. Our goals this module are two things. One, we're going to look at the TLS handshake and examine what steps are involved in that, and then second, we're going to take a look at Wireshark, and we're going to capture an HTTPS session by browsing to Pluralsight. com and then examining the TLS handshake.

Decrypting TLS Traffic
Welcome to Pluralsight. I'm Ross Bagurdes. In this next module, we're going to do some decrypting of TLS traffic. This is certainly one of the more interesting things we're going to do here, so let's take a look at our goals. Our goals here are going to be to configure our workstation to capture our session keys. Those session keys are what we use to both encrypt and decrypt our traffic. That's what we're using that combination of the public key that we get from the server, as well as that encrypted session key that we get from the server and our private key that's stored locally on our workstation. Once we have all three of those keys, then we can import them into Wireshark and do our decryption. After we configure our workstation to capture those keys, we're going to use Wireshark to then capture an HTTPS session. We'll then decrypt that session by adding in the session keys that we captured on our workstation into Wireshark. And then last, we're going to find the HTTP content within that TLS session. We're going to export that information as a file, and then we're going to open it up inside of a web browser as a local file and see what it is that was contained in our HTTPS session.

Examining Weak TLS Encryption
Welcome to Pluralsight. I'm Ross Bagurdes. In this last module of our TLS encryption course, we're going to look at examining some weak TLS encryption in Wireshark. Our goals this module are going to be to take a look at seven examples of TLS encryption in Wireshark and then identify the good and bad encryption protocols. Sometimes they get mixed together, so we'll take a look at each one, and you can see how we can identify in Wireshark when a server has properly set up its encryption and when it's less than desirable encryption that's set up.