Heartbleed bug
The Heartbeat protocol (RFC6520) runs on top of the Record layer protocol (the Record layer protocol is defined in SSL).
The Heartbleed bug (CVE-2014-0160) exists in selected OpenSSL versions (1.0.1 to 1.0.1f) that implement the Heartbeat protocol.
This bug is a serious vulnerability that allows attackers to read larger portions of memory (including private keys and passwords) during Heartbeat response.
The Heartbleed Wireshark filter
The Heartbeat protocol runs on top of the Record layer identified as record type (24) in SSL/TLS. In Wireshark, a display filter ssl.record.content_type == 24
can be used to show the HeartBeat message. Heartbeat messages are Heartbeat Request and HeartBeat Response.
Heartbleed Wireshark analysis
Open the heartbleed.pcap
packet capture file in Wireshark and set the display filter to ssl.record.content_type == 24
.
Wireshark will display only encrypted heartbeat messages. The first one is the Heartbeat Request message. In this message, the length (ssl...