Decryption In Action: Decrypted Visibility with Wireshark for TLS 1.3

    by Nubeva 24 October 2019

    Get Real-Time Decrypted Network Traffic to Inspect and Troubleshoot with Wireshark

    In a recent demonstration video, Nubeva’s Director of Customer Engineering, Erik Freeland, shows security professionals how to use Wireshark in the cloud to get real-time decrypted traffic.

    In the demonstration scenario, a trouble ticket is received by the security or application help desk. An issue has been flagged on a single host and the security professional is tasked to investigate the issue more deeply. Using Wireshark, a tool for deep packet inspection and network protocol analysis, the security pro begins to troubleshoot the issue.

    Wireshark lets users see what’s happening on the network at a microscopic level. It’s important for SecOps to see decrypted data in order to understand what’s happening on this host. The demo video provides a step-by-step walkthrough describing how to inspect the flagged issue.

    Screen Shot 2019-10-23 at 1.13.00 PM

    1. Copy of packets for inspection:  For everything to work as intended, you need to set up packet mirroring or tapping and send complete packets to Wireshark for inspection. In our demo video, we use Amazon VPC traffic mirroring (pictured above).
    2. Set filter to destination: Within the Amazon VPC traffic mirroring console, create a target destination where traffic should be sent. In the demo, we select our Wireshark instance and the video shows exactly what this looks like. We’ll RDP into the Wireshark box. Users will need to SSH into the machine before you can connect using RDP to set your RDP password.
    Screen Shot 2019-10-23 at 1.14.24 PM
    1. Prepare your Wireshark Instance: Start your Wireshark as root to make sure you can access the interfaces. We want to monitor the Nubeva Decryptor interface, which is used to push all of the received traffic including decrypted traffic. You’ll see the interface in the video showing all of the data gathered. From this host, the security professional can troubleshoot anything.
    2. Inspect traffic: This architecture enables users to see traffic coming in and inspect the data as needed. Users can see the details of the decrypted traffic (in green, below), as well as the fully encrypted traffic stream.

    Screen Shot 2019-10-23 at 1.16.32 PM


    This image above shows the encrypted packets sent to Wireshark as well as the decrypted version of the entire flow of information. In the video (and screen capture above) we receive eicar and decrypt the entire eicar antivirus test file. Regardless of the type of traffic you need to troubleshoot, Wireshark, running in real-time with Nubeva TLS Decrypt, enables a decrypted packet stream for inspection.

    If you don’t have Wireshark running, Nubeva makes it easy! 

    There are many ways to load Wireshark in the cloud. Our demo video provides you with a simple way to complete the process to launch Wireshark. Within your cloud subscription, a user can select the region he or she would like. Then select either a “new” or “existing” VPC. Lastly, select the tool you want to install -- in this case Wireshark  -- and launch the tool. It will install on Linux and we use RDP to connect to it.

    For more information about using Wireshark for inspection and troubleshooting, watch the demo video.

    Tags: cloud visibility decryption TLS encryption cloudvisibility wireshark
    resources banner desktop

    Want to learn more?

    Request a Demo

    Subscribe Here!

    View video