Classroom Public page

Lab 10-1: TLS Handshake

436 words

Course: NET-101, Week 10 Time: ~45 minutes (paired with lab-10-2 for one 90-minute session) Tools: Academy pcap-tools workbench at /pcap-tools/; terminal with curl Captures: tls-handshake.pcapng (in the catalog under NET-201 track)

Part 1: Read the TLS ClientHello (~25 minutes)

Load tls-handshake.pcapng from the pcap-tools catalog. This is a TLS 1.3 handshake capture.

Apply tls.handshake.type == 1 to isolate the ClientHello.

Click the ClientHello packet. Expand "Transport Layer Security" > "TLSv1.3 Record Layer" > "Handshake Protocol: Client Hello."

Exercise 1.1 -- ClientHello fields:

  1. What is the Handshake Type value? What does it mean?
  2. What TLS version appears in the "Legacy Version" field? (Hint: for TLS 1.3, this is set to 0x0303 for compatibility reasons.)
  3. How many cipher suites does the client advertise? List the first 3 by name.
  4. How long is the Random field? (in bytes)
  5. Does a Session ID field appear? Is it empty?

Exercise 1.2 -- Extensions:

Expand the "Extension" entries inside the ClientHello.

  1. Is a Server Name Indication (SNI) extension present? What is the hostname in the SNI?
  2. Is a "supported_versions" extension present? What TLS versions does it list?
  3. Is a "key_share" extension present? What elliptic curve group does it list?
  4. List at least 4 other extension names that appear.

Part 2: Read the ServerHello and encrypted records (~20 minutes)

Apply tls.handshake.type == 2 to isolate the ServerHello.

Exercise 2.1 -- ServerHello fields:

  1. What is the server's chosen cipher suite?
  2. Is a "key_share" extension in the ServerHello? What does this mean about the key exchange?

Remove the filter and look at the full packet list.

  1. After the Finished messages, what do the remaining packets show in the Info column? (They should say "Application Data" or similar.)
  2. Can you tell from the packet captures what HTTP request was made after the handshake? (Expected answer: no. Explain why.)

Exercise 2.2 -- Display filter comparison:

Apply tls.record.content_type == 22. How many packets match? These are all TLS Handshake records (content type 22).

Apply tls.record.content_type == 23. How many packets match? These are all TLS Application Data records (content type 23).

  1. The ratio of handshake records to application data records tells you something about the session. If this were a very long HTTP session with many requests, how would that ratio change?

Part 3: Verify with live curl (~10 minutes)

In your terminal:

curl -v --tlsv1.3 https://virtuscyberacademy.org/ 2>&1 | grep -A5 "TLS"
  1. What TLS version does curl report?
  2. What cipher suite was negotiated?
  3. Can you see the SNI in curl's verbose output? (Look for "SNI" or "hostname".)

Artifact

Create lab-10-1.md in your net-101/ Git repo with:

  • Answers to all questions
  • The cipher suite and extension lists

Commit with a meaningful commit message.