What version of TLS and ciphers is your service using? WhaTLS reports on all SSL sessions that were captured and exports the data to CSV.
From the data, making a pivot table and chart is basic Excel magic.
- capture_file - The name of the capture file where the data was pulled.
- tcp_stream_id - The TCP stream ID in the capture. Useful for finding the packets in the capture for additional research.
- client_hello - The full packet details of the Client Hello packet in the TLS handshake for a given session.
- server_hello - The full packet details of the Server Hello packet in the TLS handshake for a given session.
- negotiated_tls_version - What version of SSL/TLS was chosen for a given session.
- negotiated_cipher_suite - What cipher suite was chosen for a given session.
- Python 3.6 at a minimum.
- Install tshark by running
sudo apt update && sudo apt install tshark git clone https://github.com/clay584/whatls && cd whatlspip install -r requirements.txt
- Take a packet capture from a device and save to file.
- Pre-filter your capture with
tcpdump -nt -r MyCaptureFile.pcap "$(cat ssl_filter.bpf)" -w MyCaptureFile_filtered.pcap. This does two things. First, it makes the analysis faster by orders of magnitude astcpdumpwithbpfis way faster than using a display filter and iterating through packets with pyshark. Second, I've noticed that when a capture is taken and analyzed without first running it throughtcpdump, pyshark chokes on it for some reason and gives incomplete data. In test captures, 41 SSL sessions were found, whereas after usingtcpdumpto filter, pyshark was able to analyze all of it, resulting in 151 SSL sessions. - Run
./whatls.py MyCaptureFile_filtered.pcap. - The CSV report will be saved to
MyCaptureFile_filtered.csv.
- Thanks to Brian @infosecsamurai for optimizations and testing.