Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 5, 2017 12:18 AM
Hello,
Is there a way for me to "decode" (using Wireshark parlance) a Remote Desktop Protocol (RDP) session using Microsoft Message Analyzer so I can view the TLS handshake? I believe this could be referred to as protocol dissection as well.
When I use Wireshark, I can use the "Decode As..." function to map TPKT to SSL based on a tcp port (3389).
I'd like to watch RDP traffic on a remote Windows Server 2012R2 machine via WinRM instead of installing software on the box (hence the need for Message Analyzer which supports this use case).
Thanks for any assistance - I tried searching but perhaps I'm not using the correct terminology as I'm more familiar with Wireshark.
Regards,
All replies (3)
Thursday, January 5, 2017 7:04 PM
If RDP is being encrypted by TLS, then I believe all you will see is the TLS traffic. Based on a example I have, if I filter on "tcp.port==3389", I see TLS traffic. For my example, I have a private cert and password, so I'm able to use Message Analyzer's decryption facility for my case.
Do you see TLS traffic if you filter on 3389?
Paul
Thursday, January 5, 2017 9:25 PM
Hi Paul,
Yep... I can see the 3389 traffic when I filter by that port (or other means). The messages show up as TCP in the Module column; however, I don't see the TLS handshake at all. I know I must be missing something extremely fundemental here. I've watched the videos but I'm having trouble breaking away from my Wireshark line of thinking
When I run wireshark on the host I'm using the RDP client on, I can see the standard TCP 3-way handshake - everything is in order and looks "normal" to me. When I take a capture on the remote server using Microsoft Message Analyzer, the traffic looks completely different. In other words, I see 4 messages from client to server and then right after, I see another 4 messages from server to client. I would expect to see a SYN > SYN/ACK > SYN but I think because of the "tree" layout in MMA, it doesn't appear like how I'm used to seeing in Wireshark.
Regardless of how the messages appear in the UI, I don't see any of the TLS handshake data. In my case, I'm not trying to decrypt the data - I just want to see the messages as they come through, verify TLS version, certificate, cipher suite, etc. It feels like maybe a "Viewpoint" thing but it honestly makes no sense to me when I compare a pcap next to a capture from MMA.
My apologies, I feel like I'm missing something fundamental about the UI here.
EDIT/UPDATE:
I believe I'm getting the same data between Wireshark and MMA; I just needed to learn how to read the interface - the 3 way TCP handshake was staring me right in the face so I'm no longer confused with what I'm reading. My only issue continues to be that I can't see any of the TLS handshake messages. Again, not interested in decrypting the traffic, just want to see the SSL messages when the client connects to the server.
I think my question is this:
How do I view the TLS handshake messages without decrypting the traffic? This is done using the decode function in Wireshark.
Thursday, January 12, 2017 4:26 AM
Here is my scenario:
WS01=my workstation w/ MMA Windows 10 Pro 1607
WS02=test workstation w/ MMA Windows 7 Pro
SRV01=remote server 2012R2 Datacenter
I have WS01 running MMA connecting to SRV01 (different VLAN's so there is some routing). SRV01 is a virtual machine (2012R2) running in VMware ESXi using a standard 10Gb VMXNET3 adaptor.
When I start a remote packet capture with MMA on WS01 and initiate an RDP session from WS02 to SRV01, I can see the traffic but none of the TLS information.
If I use MMA on WS02 to capture traffic on its local interface, I can see everything just fine. I see TLS in the module column, I see the TLS handshake between WS02 and SRV01 and everything works as I would expect.
The issue is when I'm running a remote packet capture from WS01, I'm not seeing any of this information. Is this a limitation of remote packet capture?
I can just as easily install Wireshark, MMA or even NetMon on my server and see the TLS handshake. The issue seems to be with doing the packet capture remotely.
EDIT: here is the doc I'm referencing - seems pretty straight forward: