Where can you extract the TLS cipher suite used in a handshake?

Prepare for the Wireshark Traffic Analysis Exam. Study with flashcards and multiple choice questions, each question includes hints and explanations. Ace your exam!

Multiple Choice

Where can you extract the TLS cipher suite used in a handshake?

Explanation:
During a TLS handshake, the server’s chosen cipher suite is announced in the ServerHello message. The client begins with ClientHello, proposing a list of supported cipher suites, and the server selects one from that list and responds with ServerHello, including the selected cipher_suite field. That field tells you exactly which encryption, MAC, and PRF will be used for the session. In practice, you can verify this in a capture by inspecting the ServerHello within the TLS handshake; the cipher suite value shown there is the negotiated one for the session. The other options don’t carry the cipher suite: DNS A records map domain names to IPs, TLS Alerts indicate errors in the protocol, and the HTTP Content-Type header is part of application data after the TLS layer has been established.

During a TLS handshake, the server’s chosen cipher suite is announced in the ServerHello message. The client begins with ClientHello, proposing a list of supported cipher suites, and the server selects one from that list and responds with ServerHello, including the selected cipher_suite field. That field tells you exactly which encryption, MAC, and PRF will be used for the session.

In practice, you can verify this in a capture by inspecting the ServerHello within the TLS handshake; the cipher suite value shown there is the negotiated one for the session. The other options don’t carry the cipher suite: DNS A records map domain names to IPs, TLS Alerts indicate errors in the protocol, and the HTTP Content-Type header is part of application data after the TLS layer has been established.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy