CloudShark 3.10 includes an update to the version of Wireshark used under the hood. This collection of sample capture files highlights some of the new and updated protocol support included in this version.
The Community ID open standard from Corelight provides a hashed value of a specific traffic flow. This value will be the same across all tools that support Community ID and is used when pivoting between tools to identify and find a particular traffic flow.
Starting in CloudShark 3.10.0 the Community ID field can be used in a display filter or as a custom column. The '' protocol preference must be enabled in the profile used to view the capture.
Description: Sample TCP capture from the Corelight Community ID Spec with the Community ID protocol enabled and the `communityid` field applied as a column.
DNS over HTTPS (DoH) is a protocol to allow DNS lookups over HTTPS. This provides encryption and integrity to the DNS lookups performed by a device or application.
CloudShark 3.10 supports decrypting DoH traffic when the keys are embedded in a pcapng file.
Description: Encrypted capture of Chrome performing a lookup for example.com when configured with 'Use secure DNS with Cloudflare (126.96.36.199)' option enabled.
Source: QA Cafe
Description: Capture decrypted with embedded secrets of Chrome performing a lookup for example.com when configured with 'Use secure DNS with Cloudflare (188.8.131.52)' option enabled.
The JA3 standard, open sourced by Salesforce, defines a hash used to fingerprint a TLS client and can be used to identify and detect applications such as a web browser or a specific malware family. JA3S is a similar hash used to fingerprint TLS servers.
Description: Sample capture of a connection between OpenSSL 1.1.1g s_client and s_server to display the JA3 and JA3S fingerprints. In this profile, the 'JA3' column contains the value `tls.handshake.ja3 || tls.handshake.ja3s` to display the JA3 or JA3S fingerprint.
QUIC is an encrypted transport layer using UDP. It is part of HTTP/3 and is enabled by default in Chrome, Edge as of April 2020, and Firefox in April 2021. The main goal of QUIC is to improve the user experience, particularly page load times. CloudShark 3.10 supports decrypting QUIC traffic when the keys are embedded in a pcapng file.
Description: Encrypted capture of Chrome browsing to https://cloudflare-quic.com/ and refreshing the page to connect using QUIC.
Description: Capture decrypted with embedded secrets of Chrome browsing to https://cloudflare-quic.com/ and refreshing the page to connect using QUIC.
Opus is an audio codec standaradized by the IETF. Opus is used to provide an open format for encoding speech and audio in a format low latency enough for real-time communication and low complexity enough for low end embedded processors.
Description: Sample capture from the Wireshark Wiki containing a VoIP call and RTP using the Opus codec.
Wireguard is a VPN protocol that aims to have high performance while being simple to configure and use. CloudShark 3.10 supports decrypting Wireguard traffic when the keys are embedded in a pcapng file.
Description: Encrypted Wireguard sample capture from Wireshark Wiki.
Description: Decrypted Wireguard sample capture with embedded secrets from Wireshark Wiki.
The WLAN Networks tool has been refreshed in CloudShark 3.10.0 to support WPA3 and WPA2/3 security.
WPA3 is the next generation of WiFi Protected Access, the security technology used in Wi-Fi connections. WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength.
Description: WPA2/WPA3-Enterprise capture from PassPort automated test solution and OpenWRT.
Description: WPA3-Personal capture from PassPort automated test solution and OpenWRT.
Description: WPA3-Enterprise capture from PassPort automated test solution and OpenWRT.