Análisis Frame Wireshark
Frame 3541: Packet, 574 bytes on wire (4592 bits), 574 bytes captured (4592 bits) on interface \Device\NPF_{6867C2D8-186B-452B-9245-EFF2EE94D58D}, id 0
Section number: 1
Interface id: 0 (\Device\NPF_{6867C2D8-186B-452B-9245-EFF2EE94D58D})
Interface name: \Device\NPF_{6867C2D8-186B-452B-9245-EFF2EE94D58D}
Interface description: Wi-Fi
Encapsulation type: Ethernet (1)
Arrival Time: Feb 26, 2026 20:26:04.746976000 Hora estándar romance
UTC Arrival Time: Feb 26, 2026 19:26:04.746976000 UTC
Epoch Arrival Time: 1772133964.746976000
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 29.816276000 seconds]
Frame Number: 3541
Frame Length: 574 bytes (4592 bits)
Capture Length: 574 bytes (4592 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame […]: eth:ethertype:ip:tcp:tls:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509ce:x509ce:x509ce:x509ce:pkix1explicit:x509ce:x509ce:x509ce:pkix1implicit:x509ce:tls:x509sat:x509sat:x509sat:x509sat:x509]
Character encoding: ASCII (0)
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: zte_0c:f8:0b (2c:70:4f:0c:f8:0b), Dst: Intel_2d:65:59 (94:e6:f7:2d:65:59)
Destination: Intel_2d:65:59 (94:e6:f7:2d:65:59)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Source: zte_0c:f8:0b (2c:70:4f:0c:f8:0b)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
[Stream index: 0]
Internet Protocol Version 4, Src: m.stripe.com (54.191.222.115), Dst: 192.168.1.130 (192.168.1.130)
0100 … = Version: 4
… 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
… ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 560
Identification: 0x5992 (22930)
010. … = Flags: 0x2, Don’t fragment
0… … = Reserved bit: Not set
.1.. … = Don’t fragment: Set
..0. … = More fragments: Not set
…0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 236
Protocol: TCP (6)
Header Checksum: 0x5bd8 [validation disabled]
[Header checksum status: Unverified]
Source Address: m.stripe.com (54.191.222.115)
Destination Address: 192.168.1.130 (192.168.1.130)
[Stream index: 35]
Transmission Control Protocol, Src Port: https (443), Dst Port: 54197 (54197), Seq: 2881, Ack: 1787, Len: 520
Source Port: https (443)
Destination Port: 54197 (54197)
[Stream index: 18]
[Stream Packet Number: 8]
[Conversation completeness: Incomplete, DATA (15)]
..0. … = RST: Absent
…0 … = FIN: Absent
… 1… = Data: Present
… .1.. = ACK: Present
… ..1. = SYN-ACK: Present
… …1 = SYN: Present
[Completeness Flags: ··DASS]
[TCP Segment Len: 520]
Sequence Number: 2881 (relative sequence number)
Sequence Number (raw): 821917545
[Next Sequence Number: 3401 (relative sequence number)]
Acknowledgment Number: 1787 (relative ack number)
Acknowledgment number (raw): 4239628057
0101 … = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. … … = Reserved: Not set
…0 … … = Accurate ECN: Not set
… 0… … = Congestion Window Reduced: Not set
… .0.. … = ECN-Echo: Not set
… ..0. … = Urgent: Not set
… …1 … = Acknowledgment: Set
… … 1… = Push: Set
… … .0.. = Reset: Not set
… … ..0. = Syn: Not set
… … …0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 31944
[Calculated window size: 31944]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x2536 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 387.202000 milliseconds]
[Time since previous frame in this TCP stream: 0.000000000 seconds]
[SEQ/ACK analysis]
[iRTT: 185.640000 milliseconds]
[Bytes in flight: 3400]
[Bytes sent since last PSH flag: 3400]
[Client Contiguous Streams: 1]
[Server Contiguous Streams: 1]
TCP payload (520 bytes)
TCP segment data (206 bytes)
[3 Reassembled TCP Segments (3003 bytes): #3539(1357), #3540(1440), #3541(206)]
[Frame: 3539, payload: 0-1356 (1357 bytes)]
[Frame: 3540, payload: 1357-2796 (1440 bytes)]
[Frame: 3541, payload: 2797-3002 (206 bytes)]
[Segment count: 3]
[Reassembled TCP length: 3003]
[Reassembled TCP Data […]: 1603030bb60b000bb2000baf0006dd308206d9308205c1a003020102021006a8ca7b40e3c0f0f9092dfb0cc9bfc2300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e633133303106035]
Transport Layer Security
[Stream index: 18]
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2998
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2994
Certificates Length: 2991
Certificates (2991 bytes)
Certificate Length: 1757
Certificate […]: 308206d9308205c1a003020102021006a8ca7b40e3c0f0f9092dfb0cc9bfc2300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c
signedCertificate
version: v3 (2)
serialNumber: 0x06a8ca7b40e3c0f0f9092dfb0cc9bfc2
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Object Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
Object Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: DigiCert Inc
RDNSequence item: 1 item (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1)
RelativeDistinguishedName item (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1)
Object Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: DigiCert Global G2 TLS RSA SHA256 2020 CA1
validity
notBefore: utcTime (0)
utcTime: 2026-01-23 00:00:00 (UTC)
notAfter: utcTime (0)
utcTime: 2026-05-07 23:59:59 (UTC)
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=m.stripe.com,id-at-organizationName=Stripe, Inc,id-at-localityName=South San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Object Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Object Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=South San Francisco)
RelativeDistinguishedName item (id-at-localityName=South San Francisco)
Object Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: South San Francisco
RDNSequence item: 1 item (id-at-organizationName=Stripe, Inc)
RelativeDistinguishedName item (id-at-organizationName=Stripe, Inc)
Object Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Stripe, Inc
RDNSequence item: 1 item (id-at-commonName=m.stripe.com)
RelativeDistinguishedName item (id-at-commonName=m.stripe.com)
Object Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: m.stripe.com
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey […]: 3082010a0282010100de844eb9d3d33b6ae8d0d9343d1577e3b130eac703bc2c9ad3f74b852804e35ff08d5a97f4fe87740b2b7720bf5db0429239aac23c49ac7f2987691e840259fc93dc899641be1c454dc9935f6f0cbe6e921f0d05e8e3056076a5917ae3fa18e285370
RSA Public Key
modulus: 0x00de844eb9d3d33b6ae8d0d9343d1577e3b130eac703bc2c9ad3f74b852804e35ff08d5a…
publicExponent: 65537
extensions: 10 items
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: 748580c066c7df37decfbd2937aa031dbeedcd17
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: 8b2dbf47c3fe1a7265cf96f857142ad7eeca3c0f
Extension (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 1 item
GeneralName: dNSName (2)
dNSName: m.stripe.com
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 1 item
PolicyInformation
policyIdentifier: 2.23.140.1.2.2 (joint-iso-itu-t.23.140.1.2.2)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
DirectoryString: http://www.digicert.com/CPS
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 5
KeyUsage: a0
1… … = digitalSignature: True
.0.. … = contentCommitment: False
..1. … = keyEncipherment: True
…0 … = dataEncipherment: False
… 0… = keyAgreement: False
… .0.. = keyCertSign: False
… ..0. = cRLSign: False
… …0 = encipherOnly: False
0… … = decipherOnly: False
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 2 items
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://ocsp.digicert.com
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax [0 length]
Extension (SignedCertificateTimestampList)
Extension Id: 1.3.6.1.4.1.11129.2.4.2 (SignedCertificateTimestampList)
Serialized SCT List Length: 359
Signed Certificate Timestamp (Google ‘Argon2026h1’ log)
Serialized SCT Length: 119
SCT Version: 0
Log ID: 0e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e21
Timestamp: Jan 23, 2026 11:36:35.923000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 72
Signature: 3046022100df1eccf0a4774bc231aca2af503087bdd2be009d61a4eb307b757f3a440ddfd70221009896c7bed43fbfa9dda7c21ab47d699a3872cb601b2af4b46b31ad9f82722dd9
Signed Certificate Timestamp (Sectigo ‘Tiger2026h1’)
Serialized SCT Length: 117
SCT Version: 0
Log ID: 16832dabf0a9250f0ff03aa545ffc8bfc823d0874bf6042927f8e71f3313f5fa
Timestamp: Jan 23, 2026 11:36:35.920000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 70
Signature: 3044022074457f606111376cc7334670e162e1ec90132c371fdac0e3aea505539d85716e02206760b81b08753a0b4e546ee9586f864e6bd1af89c8d05cfe3015597b8f12d0f6
Signed Certificate Timestamp (DigiCert ‘Wyvern2026h1’)
Serialized SCT Length: 117
SCT Version: 0
Log ID: 6411c46ca412eca7891ca2022e00bcab4f2807d41e3527abeafed503c97dcdf0
Timestamp: Jan 23, 2026 11:36:35.953000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 70
Signature: 3044022016fe8df4490eaab464f5bd9a07c0f5e8d097686056de5ceac9dedd0e47599d2102203120d9569fde426b0e1d3f9996bcf3702f7c9021ee7d099b24477181f629b251
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted […]: 8145e4988a390db2ae591d78b3024e6f135e28bb8d6ae86a4b541ec8352d0c9f518ba03d671957eff1b312a74cd4020d2defaeeda4d0d218bcea0098fc42e7e80a978a547610f20c2612dcedb0f675650d2bd7031f3b388c1c3803cd592743acb68e1ee52eca697da37813a7840cb9
Certificate Length: 1228
Certificate […]: 308204c8308203b0a00302010202100cf5bd062b5602f47ab8502c23ccf066300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f
signedCertificate
version: v3 (2)
serialNumber: 0x0cf5bd062b5602f47ab8502c23ccf066
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=DigiCert Global Root G2,id-at-organizationalUnitName=www.digicert.com,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Object Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
Object Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: DigiCert Inc
RDNSequence item: 1 item (id-at-organizationalUnitName=www.digicert.com)
RelativeDistinguishedName item (id-at-organizationalUnitName=www.digicert.com)
Object Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: www.digicert.com
RDNSequence item: 1 item (id-at-commonName=DigiCert Global Root G2)
RelativeDistinguishedName item (id-at-commonName=DigiCert Global Root G2)
Object Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: DigiCert Global Root G2
validity
notBefore: utcTime (0)
utcTime: 2021-03-30 00:00:00 (UTC)
notAfter: utcTime (0)
utcTime: 2031-03-29 23:59:59 (UTC)
subject: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Object Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
Object Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: DigiCert Inc
RDNSequence item: 1 item (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1)
RelativeDistinguishedName item (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1)
Object Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: DigiCert Global G2 TLS RSA SHA256 2020 CA1
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey […]: 3082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d99
RSA Public Key
modulus: 0x00ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf2604115…
publicExponent: 65537
extensions: 8 items
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
pathLenConstraint: 0
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: 748580c066c7df37decfbd2937aa031dbeedcd17
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: 4e2254201895e6e36ee60ffafab912ed06178f39
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 86
1… … = digitalSignature: True
.0.. … = contentCommitment: False
..0. … = keyEncipherment: False
…0 … = dataEncipherment: False
… 0… = keyAgreement: False
… .1.. = keyCertSign: True
… ..1. = cRLSign: True
… …0 = encipherOnly: False
0… … = decipherOnly: False
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://ocsp.digicert.com
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 5 items
PolicyInformation
policyIdentifier: 2.16.840.1.114412.2.1 (US company arc.114412.2.1)
PolicyInformation
policyIdentifier: 2.23.140.1.1 (joint-iso-itu-t.23.140.1.1)
PolicyInformation
policyIdentifier: 2.23.140.1.2.1 (joint-iso-itu-t.23.140.1.2.1)
PolicyInformation
policyIdentifier: 2.23.140.1.2.2 (joint-iso-itu-t.23.140.1.2.2)
PolicyInformation
policyIdentifier: 2.23.140.1.2.3 (joint-iso-itu-t.23.140.1.2.3)
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted […]: 90f170cb289769977c74fdc0fa267b53abadcd65fdba9c069c8ad75a4387ed4d4c565fadc1c5b505202e59d1ff4af5a02ad8b095adc92e4a3bd7a7f66f8829fc303f2484bbc3b77b93072caf876b7633ed005552b2599ee4b9d0f3dfe70ffeddf8c4b910728109045fcf979e2e3275
Transport Layer Security
[Stream index: 18]
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 300
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 296
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: x25519 (0x001d)
Pubkey Length: 32
Pubkey: 24c1f80756f310266d3b14c603ef9714510715c3669a05ac06cfc0e81e298f27
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (4)
Signature Length: 256
Signature […]: 6b4b1e8cdd55814a6c8a4d808b68b778cb62df82a06407b8244bd818bcde8b61691d9827c242409cc9630176186ffd24884f11476411a3d31d1e4f86062dfab05ae18050297c4d9fc75cf97fd5d22adcbf71d01a54709c9a5ac891c7897df1253ce147fff7984ac12bf07552e0dc26
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Lectura “en cebolla” (capas) del frame 3541 --- explicación línea por línea (Wireshark)
Voy a seguir exactamente el orden y jerarquía que muestras (Frame → Ethernet → IPv4 → TCP → TLS → X.509). Donde Wireshark pone […] o … significa bytes truncados en pantalla; no es que falten en el paquete real.
1) Frame (metadatos de captura)
Frame 3541: Packet, 574 bytes on wire (4592 bits), 574 bytes captured (4592 bits) on interface \Device\NPF_{…}, id 0
Es el paquete número 3541. Mide 574 bytes tanto “en el cable” como lo capturado (no hubo truncado por snaplen). Se capturó en una interfaz NPF (Npcap/WinPcap en Windows), id interno 0.
Section number: 1
En ficheros pcapng puede haber secciones; esto es la sección 1.
Interface id: 0 (\Device\NPF_{…})
Identificador de la interfaz dentro del pcapng: 0.
Interface name: \Device\NPF_{…}
Nombre de dispositivo en Windows/Npcap.
Interface description: Wi-Fi
Descripción legible: la captura viene de la interfaz Wi‑Fi.
Encapsulation type: Ethernet (1)
Aunque sea Wi‑Fi, Windows/Npcap muchas veces entrega la captura como Ethernet II “virtualizado” (sin cabeceras 802.11).
Arrival Time: Feb 26, 2026 20:26:04.746976000 Hora estándar romance
Hora local del sistema (zona “Romance Standard Time”, típico de España).
UTC Arrival Time: Feb 26, 2026 19:26:04.746976000 UTC
La misma marca de tiempo convertida a UTC.
Epoch Arrival Time: 1772133964.746976000
Timestamp UNIX epoch (segundos desde 1970) con micro/nanosegundos.
[Time shift for this packet: 0.000000000 seconds]
No se aplicó un desplazamiento manual.
[Time delta from previous captured frame: 0.000000000 seconds]
Según la resolución/orden del capture, este frame tiene delta 0 respecto al anterior capturado (puede pasar por timestamping o llegada “simultánea”).
[Time delta from previous displayed frame: 0.000000000 seconds]
Igual pero respecto al anterior mostrado (si hay filtros).
[Time since reference or first frame: 29.816276000 seconds]
Han pasado ~29.8 s desde el frame de referencia (normalmente el primero).
Frame Number: 3541
Índice del frame.
Frame Length: 574 bytes (4592 bits)
Longitud real a nivel de enlace.
Capture Length: 574 bytes (4592 bits)
Longitud efectivamente guardada en el fichero: coincide, así que está completo.
[Frame is marked: False]
No lo has “marcado” manualmente en Wireshark.
[Frame is ignored: False]
No está ignorado (feature de Wireshark).
[Protocols in frame […]: eth:ethertype:ip:tcp:tls:x509sat:…:x509]
Lista de dissectors que Wireshark aplicó:
-
Ethernet IIeth/ethertype
-
IPv4ip
-
TCPtcp
-
TLS 1.2tls
sub‑dissectors
ASN.1 para partes del certificado
X.509 (SAT=Subject/Attribute types,
CE=certificate extensions, PKIX=estructuras PKI). esta “ruta” confirma que estás viendo (metadatos críticos para validar identidad/mitM).x509sat/x509ce/pkix1explicit/implicitCiberseguridad:handshake TLS con certificados
Character encoding: ASCII (0)
Preferencia de decodificación de texto (irrelevante para binario TLS, pero afecta a cómo muestra strings).
[Coloring Rule Name: TCP]
Regla de coloreado aplicada: TCP.
[Coloring Rule String: tcp]
Filtro/regla que disparó el color.
2) Capa 2 --- Ethernet II
Ethernet II, Src: zte_0c:f8:0b (2c:70:4f:0c:f8:0b), Dst: Intel_2d:65:59 (94:e6:f7:2d:65:59)
Trama Ethernet: MAC origen parece de un dispositivo ZTE (probable AP/router) y destino una NIC Intel (tu cliente Wi‑Fi). Esto sugiere tráfico entrante hacia tu equipo desde el AP.
Destination: Intel_2d:65:59 (94:e6:f7:2d:65:59)
MAC destino y OUI resuelto a Intel (heurístico por base de fabricantes).
… ..0. … … … … = LG bit: Globally unique address (factory default)
Bit U/L (Local/Global): 0 ⇒ dirección global (no administrada localmente).
… …0 … … … … = IG bit: Individual address (unicast)
Bit I/G: 0 ⇒ unicast (no multicast/broadcast).
Source: zte_0c:f8:0b (2c:70:4f:0c:f8:0b)
MAC origen, resuelta a ZTE.
… ..0. … … … … = LG bit: Globally unique address (factory default)
También global.
… …0 … … … … = IG bit: Individual address (unicast)
También unicast.
Type: IPv4 (0x0800)
EtherType 0x0800 ⇒ la carga útil es IPv4.
[Stream index: 0]
Índice interno de Wireshark para el “stream/conversación” a este nivel (no es el TCP stream).
3) Capa 3 --- IPv4
Internet Protocol Version 4, Src: m.stripe.com (54.191.222.115), Dst: 192.168.1.130 (192.168.1.130)
Paquete IPv4 desde un host que resuelve como m.stripe.com hacia tu IP privada 192.168.1.130.Ciberseguridad: metadato sensible: revela que tu cliente se está comunicando con Stripe (aunque el contenido vaya cifrado).
0100 … = Version: 4
Versión IP = 4.
… 0101 = Header Length: 20 bytes (5)
IHL=5 ⇒ cabecera IPv4 mínima (20 bytes), sin opciones.
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Campo DSCP/ECN a 0: no hay QoS especial; ECN no usado.
0000 00.. = Differentiated Services Codepoint: Default (0)
DSCP=0 (Best Effort).
… ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
ECN=00: no ECN.
Total Length: 560
Longitud total IP (cabecera+datos): 560 bytes.
Identification: 0x5992 (22930)
ID de fragmentación (sirve para reensamblar si hubiese fragmentos).
010. … = Flags: 0x2, Don’t fragment
Flags IP: DF=1 (no fragmentar).
0… … = Reserved bit: Not set
Bit reservado = 0.
.1.. … = Don’t fragment: Set
DF activado.
..0. … = More fragments: Not set
MF=0: no hay más fragmentos.
…0 0000 0000 0000 = Fragment Offset: 0
Offset 0: no fragmentación.
Time to Live: 236
TTL=236. Si el inicial típico fuese 255, implicaría ~19 saltos (255-236). No es prueba, pero da pista de distancia/red.
Protocol: TCP (6)
Protocolo de capa 4: TCP.
Header Checksum: 0x5bd8 [validation disabled]
Checksum IPv4 mostrado, pero Wireshark no lo valida (opción deshabilitada).
[Header checksum status: Unverified]
No verificado; no implica que esté mal.
Source Address: m.stripe.com (54.191.222.115)
IP origen, con resolución DNS inversa/heurística a ese nombre.
• Destination Address: 192.168.1.130 (192.168.1.130)
IP destino.
[Stream index: 35]
Índice de stream/conversación a nivel IP (interno de Wireshark).
.
4) Capa 4 --- TCP
• Transmission Control Protocol, Src Port: https (443), Dst Port: 54197 (54197), Seq: 2881, Ack: 1787, Len: 520
Segmento TCP desde puerto 443 (servidor HTTPS) a puerto efímero 54197 (cliente). Len: 520 es payload TCP en este segmento. Seq/Ack en números relativos (ver líneas siguientes).Ciberseguridad: esto es tráfico típico TLS; el contenido va cifrado después del handshake.
• Source Port: https (443)
Puerto origen 443.
• Destination Port: 54197 (54197)
Puerto destino efímero del cliente.
• [Stream index: 18]
Este es el TCP stream (conversación) #18 en Wireshark.
• [Stream Packet Number: 8]
Este es el paquete #8 dentro de ese stream TCP.
• [Conversation completeness: Incomplete, DATA (15)]
Wireshark cree que la conversación está incompleta (no vio todo el inicio/fin). DATA (15) es un resumen interno de estado.
• ..0. … = RST: Absent
En lo observado del stream, no hay reset.
• …0 … = FIN: Absent
No se vio cierre FIN.
• … 1… = Data: Present
Hay datos (payload) presentes en el stream.
• … .1.. = ACK: Present
Se observaron ACKs.
• … ..1. = SYN-ACK: Present
Se observó el SYN-ACK en el stream (en algún paquete, no necesariamente este).
• … …1 = SYN: Present
Se observó el SYN (inicio de la conexión).
• [Completeness Flags: ··DASS]
Resumen compacto: Data, ACK, SYN, SYN‑ACK vistos.
• [TCP Segment Len: 520]
Longitud de datos TCP en este segmento: 520 bytes.
• Sequence Number: 2881 (relative sequence number)
Número de secuencia relativo: 2881 (Wireshark lo normaliza respecto al primer seq visto).
• Sequence Number (raw): 821917545
Número de secuencia real (32 bits) en el paquete.
• [Next Sequence Number: 3401 (relative sequence number)]
Siguiente seq relativo esperado: 2881 + 520 = 3401.
• Acknowledgment Number: 1787 (relative ack number)
ACK relativo: confirma hasta el byte 1786 del otro sentido.
• Acknowledgment number (raw): 4239628057
ACK real (32 bits).
• 0101 … = Header Length: 20 bytes (5)
Cabecera TCP mínima (20 bytes), sin opciones.
• Flags: 0x018 (PSH, ACK)
Flags: PSH y ACK activos.
• 000. … … = Reserved: Not set
Bits reservados a 0.
• …0 … … = Accurate ECN: Not set
No usa AccECN.
• … 0… … = Congestion Window Reduced: Not set
CWR=0.
• … .0.. … = ECN-Echo: Not set
ECE=0.
• … ..0. … = Urgent: Not set
URG=0.
• … …1 … = Acknowledgment: Set
ACK=1.
• … … 1… = Push: Set
PSH=1 (sugiere “empujar” datos a la app sin esperar a buffers; en la práctica es común en TLS).
• … … .0.. = Reset: Not set
RST=0.
• … … ..0. = Syn: Not set
SYN=0 (no es paquete de establecimiento).
• … … …0 = Fin: Not set
FIN=0.
• [TCP Flags: ·······AP···]
Resumen gráfico: ACK y PSH activos.
• Window: 31944
Ventana anunciada: 31944 bytes (control de flujo).
• [Calculated window size: 31944]
Igual, tras aplicar factor de escalado (si existiera).
• [Window size scaling factor: -2 (no window scaling used)]
No se está usando TCP Window Scaling (o no se negoció/observó).
• Checksum: 0x2536 [unverified]
Checksum TCP presente, pero no verificado (muy común por offloading de NIC).
• [Checksum Status: Unverified]
Estado: no verificado.
• Urgent Pointer: 0
Puntero urgente a 0 (porque URG=0).
• [Timestamps]
Sección de tiempos calculados por Wireshark.
• [Time since first frame in this TCP stream: 387.202000 milliseconds]
Este paquete llega ~387 ms después del primer frame visto en este stream.
• [Time since previous frame in this TCP stream: 0.000000000 seconds]
Delta respecto al anterior paquete del mismo stream: 0 (puede ser misma marca temporal o muy cercano).
• [SEQ/ACK analysis]
Análisis de secuencias/ACKs.
• [iRTT: 185.640000 milliseconds]
RTT inicial estimado: ~185.64 ms.
• [Bytes in flight: 3400]
Bytes enviados aún no confirmados (en vuelo) en esa dirección según lo visto.
• [Bytes sent since last PSH flag: 3400]
Bytes enviados desde el último segmento con PSH (métrica interna).
• [Client Contiguous Streams: 1]
Wireshark detecta 1 bloque contiguo de datos del lado cliente (heurística).
• [Server Contiguous Streams: 1]
Igual para el lado servidor.
• TCP payload (520 bytes)
Hay 520 bytes de datos TCP en este frame.
• TCP segment data (206 bytes)
Importante: de esos 520, 206 bytes son los que Wireshark usa para completar un PDU reensamblado (ver siguiente bloque). Los 314 restantes pertenecen a otros registros TLS completos que vienen después.
5) Reensamblado TCP (por encima de TCP)
• [3 Reassembled TCP Segments (3003 bytes): #3539(1357), #3540(1440), #3541(206)]
Un mensaje de capa superior (aquí TLS) ocupa 3003 bytes y se repartió en 3 segmentos TCP:
• frame 3539 aporta 1357
• frame 3540 aporta 1440
• frame 3541 aporta 206 (los 206 de antes)
• [Frame: 3539, payload: 0-1356 (1357 bytes)]
Rango de bytes dentro del PDU reensamblado que vienen del frame 3539.
• [Frame: 3540, payload: 1357-2796 (1440 bytes)]
Rango aportado por el frame 3540.
• [Frame: 3541, payload: 2797-3002 (206 bytes)]
Rango final aportado por este frame.
• [Segment count: 3]
Total segmentos: 3.
• [Reassembled TCP length: 3003]
Longitud del PDU reensamblado: 3003 bytes.
• [Reassembled TCP Data […]: 1603030bb60b000bb2000baf0006dd30…]
Bytes reensamblados (hex). Empieza por 16 03 03 que es típico de TLS Record :
• = Handshake16
• = TLS 1.2 esto confirma que lo que se reensambla es un .03 03Ciberseguridad:registro TLS
6) TLS --- Registro 1: Certificate
• Transport Layer Security
Wireshark ahora diseca la capa TLS.
• [Stream index: 18]
TLS va dentro del TCP stream 18.
• TLSv1.2 Record Layer: Handshake Protocol: Certificate
Es un TLS record versión 1.2 que contiene un mensaje de handshake “Certificate”.
• Content Type: Handshake (22)
Tipo de contenido TLS: 22 (handshake).
• Version: TLS 1.2 (0x0303)
Versión indicada en el record: 0x0303.
• Length: 2998
Longitud del fragmento TLS (sin contar los 5 bytes de cabecera del record).
• Handshake Protocol: Certificate
Dentro del record hay un handshake message de certificado.
• Handshake Type: Certificate (11)
Tipo 11 = Certificate.
• Length: 2994
Longitud del mensaje handshake (estructura “Certificate”), sin contar su cabecera.
• Certificates Length: 2991
Longitud total del bloque de certificados dentro del mensaje.
• Certificates (2991 bytes)
El listado de certificados (cadena enviada por el servidor).
7) X.509 --- Certificado 1 (leaf / servidor)
• Certificate Length: 1757
Primer certificado de la lista: 1757 bytes (normalmente el leaf de m.stripe.com).
• Certificate […]: 308206d9308205c1a003020102021006a8…
Certificado en DER (hex). 30 82 … indica una SEQUENCE ASN.1; Wireshark lo muestra truncado.
• signedCertificate
Parte “tbsCertificate” + firma (estructura principal).
• version: v3 (2)
X.509 versión 3.
• serialNumber: 0x06a8ca7b40e3c0f0f9092dfb0cc9bfc2
Número de serie único del certificado.
• signature (sha256WithRSAEncryption)
Algoritmo de firma del cert: SHA‑256 con RSA.
• Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
OID que corresponde a ese algoritmo.
Issuer (quién lo emitió)
• issuer: rdnSequence (0)
El emisor se codifica como secuencia RDN (DN).
• rdnSequence: 3 items (id-at-commonName=… , id-at-organizationName=… , id-at-countryName=US)
El DN del emisor tiene 3 atributos: CN, O, C.
• RDNSequence item: 1 item (id-at-countryName=US)
Primer RDN: país.
• RelativeDistinguishedName item (id-at-countryName=US)
Entrada concreta del RDN.
• Object Id: 2.5.4.6 (id-at-countryName)
OID del atributo “C”.
• CountryName: US
Valor: US.
• RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
Segundo RDN: organización.
• RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
Entrada.
• Object Id: 2.5.4.10 (id-at-organizationName)
OID de “O”.
• DirectoryString: printableString (1)
Tipo ASN.1 del string (PrintableString).
• printableString: DigiCert Inc
Valor.
• RDNSequence item: 1 item (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1)
Tercer RDN: Common Name del emisor (la CA intermedia).
• RelativeDistinguishedName item (id-at-commonName=…)
Entrada.
• Object Id: 2.5.4.3 (id-at-commonName)
OID de “CN”.
• DirectoryString: printableString (1)
Tipo de string.
• printableString: DigiCert Global G2 TLS RSA SHA256 2020 CA1
Valor CN del emisor.
Validez temporal
• validity
Ventana de validez.
• notBefore: utcTime (0)
Inicio en formato UTCTime.
• utcTime: 2026-01-23 00:00:00 (UTC)
Válido desde esa fecha/hora.
• notAfter: utcTime (0)
Fin de validez.
• utcTime: 2026-05-07 23:59:59 (UTC)
Válido hasta.Ciberseguridad: certs de corta duración reducen exposición si hay compromiso de clave.
Subject (a quién identifica)
• subject: rdnSequence (0)
DN del sujeto.
• rdnSequence: 5 items (id-at-commonName=m.stripe.com, id-at-organizationName=Stripe, Inc, id-at-localityName=…, id-at-stateOrProvinceName=…, id-at-countryName=US)
Atributos del sujeto: C, ST, L, O, CN.
• RDNSequence item: 1 item (id-at-countryName=US)
País del sujeto.
• RelativeDistinguishedName item (id-at-countryName=US)
Entrada.
• Object Id: 2.5.4.6 (id-at-countryName)
OID de C.
• CountryName: US
Valor.
• RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
Estado/provincia.
• RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Entrada.
• Object Id: 2.5.4.8 (id-at-stateOrProvinceName)
OID de ST.
• DirectoryString: printableString (1)
Tipo de string.
• printableString: California
Valor.
• RDNSequence item: 1 item (id-at-localityName=South San Francisco)
Localidad/ciudad.
• RelativeDistinguishedName item (id-at-localityName=South San Francisco)
Entrada.
• Object Id: 2.5.4.7 (id-at-localityName)
OID de L.
• DirectoryString: printableString (1)
Tipo.
• printableString: South San Francisco
Valor.
• RDNSequence item: 1 item (id-at-organizationName=Stripe, Inc)
Organización.
• RelativeDistinguishedName item (id-at-organizationName=Stripe, Inc)
Entrada.
• Object Id: 2.5.4.10 (id-at-organizationName)
OID de O.
• DirectoryString: printableString (1)
Tipo.
• printableString: Stripe, Inc
Valor.
• RDNSequence item: 1 item (id-at-commonName=m.stripe.com)
CN del sujeto.
• RelativeDistinguishedName item (id-at-commonName=m.stripe.com)
Entrada.
• Object Id: 2.5.4.3 (id-at-commonName)
OID CN.
• DirectoryString: printableString (1)
Tipo.
• printableString: m.stripe.com
Valor CN.
Clave pública del servidor
• subjectPublicKeyInfo
Sección que contiene el algoritmo y la clave pública.
• algorithm (rsaEncryption)
Algoritmo de clave: RSA.
• Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
OID RSA.
• Padding: 0
En ASN.1 BIT STRING, “unused bits” = 0 (alineación, no “padding” criptográfico).
• subjectPublicKey […]: 3082010a0282010100de844e…
La clave pública codificada (DER), truncada.
• RSA Public Key
Interpretación como RSA.
• modulus: 0x00de844e…
Módulo RSA (n), truncado.
• publicExponent: 65537
Exponente público típico (F4).
Extensiones (10)
• Lista de extensiones X.509.extensions: 10 items
1) Authority Key Identifier
• Extension (id-ce-authorityKeyIdentifier) / Extension Id: 2.5.29.35
Identifica la clave de la CA que firmó este cert.
• AuthorityKeyIdentifier
Contenedor.
• keyIdentifier: 748580c066c7df37decfbd2937aa031dbeedcd17
Huella/ID de la clave de la CA emisora.
2) Subject Key Identifier
• Extension (id-ce-subjectKeyIdentifier) / Extension Id: 2.5.29.14
Identificador de la clave del propio sujeto.
• SubjectKeyIdentifier: 8b2dbf47c3fe1a7265cf96f857142ad7eeca3c0f
SKI del leaf.
3) Subject Alternative Name (SAN)
• Extension (id-ce-subjectAltName) / Extension Id: 2.5.29.17
Nombres alternativos válidos (lo que realmente se compara hoy con SNI/host).
• GeneralNames: 1 item
Solo 1 entrada.
• GeneralName: dNSName (2)
Tipo: nombre DNS.
• dNSName: m.stripe.com
Hostname cubierto.Ciberseguridad: esto es clave para evitar MITM por mismatch de nombre.
4) Certificate Policies
• Extension (id-ce-certificatePolicies) / Extension Id: 2.5.29.32
Políticas aplicables.
• CertificatePoliciesSyntax: 1 item
Una política.
• PolicyInformation
Contenedor.
• policyIdentifier: 2.23.140.1.2.2 (joint-iso-itu-t.23.140.1.2.2)
OID de política (relacionada con certificados TLS/validación).
• policyQualifiers: 1 item
Un qualifier.
• PolicyQualifierInfo
Contenedor.
• Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
Qualifier CPS (Certification Practice Statement).
• DirectoryString: http://www.digicert.com/CPS
URL CPS (Wireshark lo muestra como string). Ojo: es http, no https (habitual en CPS/CRL).
5) Key Usage
• Extension (id-ce-keyUsage) / Extension Id: 2.5.29.15 (id-ce-keyUsage)
Usos permitidos de la clave.
• critical: True
Es crítica: si el cliente no la entiende, debe rechazar el cert.
• Padding: 5
“unused bits” del BIT STRING en esa extensión.
• KeyUsage: a0
Máscara de bits.
• 1… … = digitalSignature: True
Permite firmas digitales (p.ej., en TLS).
• .0.. … = contentCommitment: False
No permite nonRepudiation.
• ..1. … = keyEncipherment: True
Permite cifrado/encapsulación de claves (RSA key transport; hoy se usa más ECDHE, pero sigue siendo común).
• …0 … = dataEncipherment: False
No para cifrar datos “a pelo”.
• … 0… = keyAgreement: False
No para acuerdo de claves (sería típico en ECDSA/ECDH certificados).
• … .0.. = keyCertSign: False
No puede firmar otros certificados.
• … ..0. = cRLSign: False
No puede firmar CRLs.
• … …0 = encipherOnly: False
No aplica.
• 0… … = decipherOnly: False
No aplica.
6) Extended Key Usage (EKU)
• Extension (id-ce-extKeyUsage) / Extension Id: 2.5.29.37
Usos extendidos.
• KeyPurposeIDs: 2 items
Dos propósitos:
• KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
Autenticación de servidor TLS.
• KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Autenticación de cliente TLS.Nota técnica: no siempre aparece en leafs de servidor; si te parece raro, es una señal a revisar, pero no implica malicia por sí sola.
7) CRL Distribution Points
• Extension (id-ce-cRLDistributionPoints) / Extension Id: 2.5.29.31
Dónde descargar CRLs (revocación).
• CRLDistPointsSyntax: 2 items
Hay 2 puntos.
• DistributionPoint
Entrada 1.
• distributionPoint: fullName (0)
Es un nombre completo (no relativo).
• fullName: 1 item
Un nombre.
• GeneralName: uniformResourceIdentifier (6)
Tipo: URI.
• uniformResourceIdentifier: http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
URL CRL.
• DistributionPoint
Entrada 2.
• distributionPoint: fullName (0)
Igual.
• fullName: 1 item
Un nombre.
• GeneralName: uniformResourceIdentifier (6)
URI.
• uniformResourceIdentifier: http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
Segunda URL CRL (redundancia).
8) Authority Information Access (AIA)
• Extension (id-pe-authorityInfoAccess) / Extension Id: 1.3.6.1.5.5.7.1.1
Métodos para OCSP y descarga del emisor.
• AuthorityInfoAccessSyntax: 2 items
Dos descripciones:
• AccessDescription
1) OCSP
• accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Método OCSP.
• accessLocation: 6
Aquí Wireshark te muestra el tipo ASN.1 (6 suele corresponder a URI en GeneralName).
• uniformResourceIdentifier: http://ocsp.digicert.com
Resolvedor OCSP.
• AccessDescription
2) CA Issuers
• accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Método “caIssuers” (descargar cert del emisor).
• accessLocation: 6
Tipo URI.
• uniformResourceIdentifier: http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
URL del certificado de la CA emisora.
9) Basic Constraints
• Extension (id-ce-basicConstraints) / Extension Id: 2.5.29.19
Indica si es CA.
• critical: True
Crítica.
• BasicConstraintsSyntax [0 length]
Secuencia vacía ⇒ por defecto cA = FALSE.Ciberseguridad: confirma que este cert no es CA, es leaf.
10) SCT (Certificate Transparency)
• Extension (SignedCertificateTimestampList) / Extension Id: 1.3.6.1.4.1.11129.2.4.2
Lista de SCTs para Certificate Transparency.
• Serialized SCT List Length: 359
Longitud total del listado.
SCT 1 (Google Argon2026h1)
• Signed Certificate Timestamp (Google ‘Argon2026h1’ log)
SCT emitido por ese log CT.
• Serialized SCT Length: 119
Tamaño SCT.
• SCT Version: 0
Versión v1.
• Log ID: 0e5794bc…
Identificador del log.
• Timestamp: Jan 23, 2026 11:36:35.923000000 UTC
Momento en que el log registró el cert.
• Extensions length: 0
Sin extensiones SCT.
• Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Algoritmo de firma del SCT.
• Signature Hash Algorithm Hash: SHA256 (4)
Hash SHA‑256.
• Signature Hash Algorithm Signature: ECDSA (3)
Firma ECDSA.
• Signature Length: 72
Longitud de firma.
• Signature: 30460221…
Firma DER (truncada).
SCT 2 (Sectigo Tiger2026h1)
• Signed Certificate Timestamp (Sectigo ‘Tiger2026h1’)
Segundo log.
• Serialized SCT Length: 117
• SCT Version: 0
• Log ID: 16832dab…
• Timestamp: Jan 23, 2026 11:36:35.920000000 UTC
• Extensions length: 0
• Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
• Signature Hash Algorithm Hash: SHA256 (4)
• Signature Hash Algorithm Signature: ECDSA (3)
• Signature Length: 70
• Signature: 30440220…
SCT 3 (DigiCert Wyvern2026h1)
• Signed Certificate Timestamp (DigiCert ‘Wyvern2026h1’)
• Serialized SCT Length: 117
• SCT Version: 0
• Log ID: 6411c46c…
• Timestamp: Jan 23, 2026 11:36:35.953000000 UTC
• Extensions length: 0
• Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
• Signature Hash Algorithm Hash: SHA256 (4)
• Signature Hash Algorithm Signature: ECDSA (3)
• Signature Length: 70
• Signature: 30440220…Ciberseguridad: CT ayuda a detectar/emparejar emisión fraudulenta de certificados.
Firma del certificado (parte final)
• algorithmIdentifier (sha256WithRSAEncryption)
Algoritmo usado para firmar este cert.
• Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
OID del algoritmo.
• Padding: 0
Unused bits/alineación en la codificación (no “padding” de RSA).
• encrypted […]: 8145e4988a39…
La firma RSA del certificado (bytes), truncada.
8) X.509 --- Certificado 2 (intermedio)
• Certificate Length: 1228
Segundo certificado: probablemente la CA intermedia .
• Certificate […]: 308204c8308203b0a00302010202100cf5…
DER hex truncado.
• signedCertificate
Estructura principal.
• version: v3 (2)
X.509 v3.
• serialNumber: 0x0cf5bd062b5602f47ab8502c23ccf066
Serie del intermedio.
• signature (sha256WithRSAEncryption)
Firmado con SHA256+RSA.
• Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
OID.
Issuer del intermedio (root)
• issuer: rdnSequence (0)
• rdnSequence: 4 items (id-at-commonName=DigiCert Global Root G2, id-at-organizationalUnitName=www.digicert.com, id-at-organizationName=DigiCert Inc, id-at-countryName=US)
DN del root: C, O, OU, CN.
• RDNSequence item: 1 item (id-at-countryName=US)
• RelativeDistinguishedName item (id-at-countryName=US)
• Object Id: 2.5.4.6 (id-at-countryName)
• CountryName: US
• RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
• RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
• Object Id: 2.5.4.10 (id-at-organizationName)
• DirectoryString: printableString (1)
• printableString: DigiCert Inc
• RDNSequence item: 1 item (id-at-organizationalUnitName=www.digicert.com)
• RelativeDistinguishedName item (id-at-organizationalUnitName=www.digicert.com)
• Object Id: 2.5.4.11 (id-at-organizationalUnitName)
• DirectoryString: printableString (1)
• printableString: www.digicert.com
• RDNSequence item: 1 item (id-at-commonName=DigiCert Global Root G2)
• RelativeDistinguishedName item (id-at-commonName=DigiCert Global Root G2)
• Object Id: 2.5.4.3 (id-at-commonName)
• DirectoryString: printableString (1)
• printableString: DigiCert Global Root G2
Validez del intermedio
• validity
• notBefore: utcTime (0)
• utcTime: 2021-03-30 00:00:00 (UTC)
• notAfter: utcTime (0)
• utcTime: 2031-03-29 23:59:59 (UTC)
Subject del intermedio
• subject: rdnSequence (0)
• rdnSequence: 3 items (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1, id-at-organizationName=DigiCert Inc, id-at-countryName=US)
Identifica a la CA intermedia.
• RDNSequence item: 1 item (id-at-countryName=US)
• RelativeDistinguishedName item (id-at-countryName=US)
• Object Id: 2.5.4.6 (id-at-countryName)
• CountryName: US
• RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
• RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
• Object Id: 2.5.4.10 (id-at-organizationName)
• DirectoryString: printableString (1)
• printableString: DigiCert Inc
• RDNSequence item: 1 item (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1)
• RelativeDistinguishedName item (id-at-commonName=DigiCert Global G2 TLS RSA SHA256 2020 CA1)
• Object Id: 2.5.4.3 (id-at-commonName)
• DirectoryString: printableString (1)
• printableString: DigiCert Global G2 TLS RSA SHA256 2020 CA1
Clave pública del intermedio
• subjectPublicKeyInfo
• algorithm (rsaEncryption)
• Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
• Padding: 0
• subjectPublicKey […]: 3082010a0282010100ccf710…
• RSA Public Key
• modulus: 0x00ccf710…
• publicExponent: 65537
Extensiones (8) del intermedio
• extensions: 8 items
1) Basic Constraints
• Extension (id-ce-basicConstraints)
• Extension Id: 2.5.29.19 (id-ce-basicConstraints)
• critical: True
• BasicConstraintsSyntax
• cA: True
Es una CA.
• pathLenConstraint: 0
No puede emitir otras CA intermedias por debajo (solo leafs).
2) Subject Key Identifier
• Extension (id-ce-subjectKeyIdentifier)
• Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
• SubjectKeyIdentifier: 748580c066c7df37decfbd2937aa031dbeedcd17
3) Authority Key Identifier
• Extension (id-ce-authorityKeyIdentifier)
• Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
• AuthorityKeyIdentifier
• keyIdentifier: 4e2254201895e6e36ee60ffafab912ed06178f39
4) Key Usage
• Extension (id-ce-keyUsage)
• Extension Id: 2.5.29.15 (id-ce-keyUsage)
• critical: True
• Padding: 1
• KeyUsage: 86
• 1… … = digitalSignature: True
• .0.. … = contentCommitment: False
• ..0. … = keyEncipherment: False
• …0 … = dataEncipherment: False
• … 0… = keyAgreement: False
• … .1.. = keyCertSign: True
Puede firmar certificados.
• … ..1. = cRLSign: True
Puede firmar CRLs.
• … …0 = encipherOnly: False
• 0… … = decipherOnly: False
5) Extended Key Usage
• Extension (id-ce-extKeyUsage)
• Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
• KeyPurposeIDs: 2 items
• KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
• KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
6) AIA
• Extension (id-pe-authorityInfoAccess)
• Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
• AuthorityInfoAccessSyntax: 2 items
• AccessDescription
• accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
• accessLocation: 6
• uniformResourceIdentifier: http://ocsp.digicert.com
• AccessDescription
• accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
• accessLocation: 6
• uniformResourceIdentifier: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
7) CRL Distribution Points
• Extension (id-ce-cRLDistributionPoints)
• Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
• CRLDistPointsSyntax: 1 item
• DistributionPoint
• distributionPoint: fullName (0)
• fullName: 1 item
• GeneralName: uniformResourceIdentifier (6)
• uniformResourceIdentifier: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
8) Certificate Policies
• Extension (id-ce-certificatePolicies)
• Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
• CertificatePoliciesSyntax: 5 items
• PolicyInformation / policyIdentifier: 2.16.840.1.114412.2.1 (US company arc.114412.2.1)
• PolicyInformation / policyIdentifier: 2.23.140.1.1 (joint-iso-itu-t.23.140.1.1)
• PolicyInformation / policyIdentifier: 2.23.140.1.2.1 (joint-iso-itu-t.23.140.1.2.1)
• PolicyInformation / policyIdentifier: 2.23.140.1.2.2 (joint-iso-itu-t.23.140.1.2.2)
• PolicyInformation / policyIdentifier: 2.23.140.1.2.3 (joint-iso-itu-t.23.140.1.2.3)
Firma del intermedio
• algorithmIdentifier (sha256WithRSAEncryption)
• Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
• Padding: 0
• encrypted […]: 90f170cb2897…
Firma RSA del intermedio (truncada).
9) TLS --- Registro 2: Server Key Exchange
• Transport Layer Security
Sigue TLS en el mismo TCP stream.
• [Stream index: 18]
• TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Record TLS 1.2 con handshake “Server Key Exchange”.
• Content Type: Handshake (22)
• Version: TLS 1.2 (0x0303)
• Length: 300
300 bytes de fragmento TLS.
• Handshake Protocol: Server Key Exchange
• Handshake Type: Server Key Exchange (12)
• Length: 296
• EC Diffie-Hellman Server Params
Parámetros para el intercambio de claves (ECDHE).
• Curve Type: named_curve (0x03)
Se usa una curva “nombrada” (no explícita).
• Named Curve: x25519 (0x001d)
Grupo X25519 (muy común y moderno para ECDHE).
• Pubkey Length: 32
La clave pública efímera del servidor mide 32 bytes (X25519).
• Pubkey: 24c1f80756f310266d3b14c603ef9714510715c3669a05ac06cfc0e81e298f27
Clave pública efímera del servidor (hex).
• Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
El servidor firma estos parámetros con RSA‑PSS + SHA‑256 (RSAE).Ciberseguridad: ECDHE + firma ⇒ autenticación del servidor + forward secrecy.
• Signature Hash Algorithm Hash: Unknown (8)
• Signature Hash Algorithm Signature: Unknown (4)
Wireshark aquí no te lo “traduce” bien (probable limitación del dissector/versión), pero arriba ya indica rsa_pss_rsae_sha256.
• Signature Length: 256
256 bytes ⇒ firma RSA de 2048 bits.
• Signature […]: 6b4b1e8cdd55…
Firma (truncada).
10) TLS --- Registro 3: Server Hello Done
• TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Record TLS con handshake “ServerHelloDone” (en TLS 1.2 marca fin de mensajes del servidor en esta fase).
• Content Type: Handshake (22)
• Version: TLS 1.2 (0x0303)
• Length: 4
Fragmento TLS de 4 bytes (mensaje muy pequeño).
• Handshake Protocol: Server Hello Done
• Handshake Type: Server Hello Done (14)
• Length: 0
Este mensaje no tiene cuerpo (solo cabecera).
Interpretación de ciberseguridad (qué “te dice” este frame)
• Estás viendo parte del handshake TLS 1.2 de una conexión a m.stripe.com (Stripe).
• Puedes validar a ojo que:
• el incluye (bien),SANm.stripe.com
• la cadena incluye (el root suele estar en el almacén del SO y no siempre se envía),leaf + intermedio
• hay (buena práctica moderna),CT/SCTs
• el intercambio usa y firma (configuración robusta, con forward secrecy).ECDHE X25519RSA‑PSS
• Aunque no puedas ver el HTTP cifrado, sí ves metadatos (IPs, tiempos, SNI/cert, tamaños), que en análisis defensivo sirve para: inventario de dependencias externas, detección de MITM (mismatch de cert), y hunting de conexiones anómalas.
Si quieres, pega también el ClientHello del mismo stream (suele mostrar SNI, ALPN, cipher suites, extensiones) y lo analizo con el mismo nivel de detalle.
Frame 2566: Packet, 1840 bytes on wire (14720 bits), 1840 bytes captured (14720 bits) on interface \Device\NPF_{6867C2D8-186B-452B-9245-EFF2EE94D58D}, id 0
Section number: 1
Interface id: 0 (\Device\NPF_{6867C2D8-186B-452B-9245-EFF2EE94D58D})
Interface name: \Device\NPF_{6867C2D8-186B-452B-9245-EFF2EE94D58D}
Interface description: Wi-Fi
Encapsulation type: Ethernet (1)
Arrival Time: Feb 26, 2026 20:26:04.545848000 Hora estándar romance
UTC Arrival Time: Feb 26, 2026 19:26:04.545848000 UTC
Epoch Arrival Time: 1772133964.545848000
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 279.000 microseconds]
[Time delta from previous displayed frame: 434.000 microseconds]
[Time since reference or first frame: 29.615148000 seconds]
Frame Number: 2566
Frame Length: 1840 bytes (14720 bits)
Capture Length: 1840 bytes (14720 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:tls]
Character encoding: ASCII (0)
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Intel_2d:65:59 (94:e6:f7:2d:65:59), Dst: zte_0c:f8:0b (2c:70:4f:0c:f8:0b)
Destination: zte_0c:f8:0b (2c:70:4f:0c:f8:0b)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Source: Intel_2d:65:59 (94:e6:f7:2d:65:59)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
[Stream index: 0]
Internet Protocol Version 4, Src: 192.168.1.130 (192.168.1.130), Dst: m.stripe.com (54.191.222.115)
0100 … = Version: 4
… 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
… ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
[Total Length: 1826 bytes (reported as 0, presumed to be because of “TCP segmentation offload” (TSO))]
Identification: 0x47f3 (18419)
010. … = Flags: 0x2, Don’t fragment
0… … = Reserved bit: Not set
.1.. … = Don’t fragment: Set
..0. … = More fragments: Not set
…0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: TCP (6)
Header Checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.1.130 (192.168.1.130)
Destination Address: m.stripe.com (54.191.222.115)
[Stream index: 35]
Transmission Control Protocol, Src Port: 54197 (54197), Dst Port: https (443), Seq: 1, Ack: 1, Len: 1786
Source Port: 54197 (54197)
Destination Port: https (443)
[Stream index: 18]
[Stream Packet Number: 4]
[Conversation completeness: Incomplete, DATA (15)]
..0. … = RST: Absent
…0 … = FIN: Absent
… 1… = Data: Present
… .1.. = ACK: Present
… ..1. = SYN-ACK: Present
… …1 = SYN: Present
[Completeness Flags: ··DASS]
[TCP Segment Len: 1786]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 4239626271
[Next Sequence Number: 1787 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 821914665
0101 … = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. … … = Reserved: Not set
…0 … … = Accurate ECN: Not set
… 0… … = Congestion Window Reduced: Not set
… .0.. … = ECN-Echo: Not set
… ..0. … = Urgent: Not set
… …1 … = Acknowledgment: Set
… … 1… = Push: Set
… … .0.. = Reset: Not set
… … ..0. = Syn: Not set
… … …0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 65535
[Calculated window size: 65535]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0xd763 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 186.074000 milliseconds]
[Time since previous frame in this TCP stream: 434.000 microseconds]
[SEQ/ACK analysis]
[iRTT: 185.640000 milliseconds]
[Bytes in flight: 1786]
[Bytes sent since last PSH flag: 1786]
[Client Contiguous Streams: 1]
[Server Contiguous Streams: 1]
TCP payload (1786 bytes)
Transport Layer Security
[Stream index: 18]
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 1781
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 1777
Version: TLS 1.2 (0x0303)
[Expert Info (Chat/Deprecated): This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
[This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
[Severity level: Chat]
[Group: Deprecated]
Random: cdf003bfb3ab4528d22c0cb48c8f2f400e6087388c16aae35361cb0cd1ca1964
GMT Unix Time: Jun 27, 2079 04:34:39.000000000 Hora de verano romance
Random Bytes: b3ab4528d22c0cb48c8f2f400e6087388c16aae35361cb0cd1ca1964
Session ID Length: 32
Session ID: 741d58ad0256d4e4c776d9a6cc57fdfe25b834e3e8eec5beb33211aab20dfeba
Cipher Suites Length: 32
Cipher Suites (16 suites)
Cipher Suite: Reserved (GREASE) (0xbaba)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 1672
Extension: Reserved (GREASE) (len=0)
Type: Reserved (GREASE) (35466)
Length: 0
Data: <MISSING>
Extension: signed_certificate_timestamp (len=0)
Type: signed_certificate_timestamp (18)
Length: 0
Extension: supported_groups (len=12)
Type: supported_groups (10)
Length: 12
Supported Groups List Length: 10
Supported Groups (5 groups)
Supported Group: Reserved (GREASE) (0x0a0a)
Supported Group: X25519MLKEM768 (0x11ec)
Supported Group: x25519 (0x001d)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
Extension: key_share (len=1263) X25519MLKEM768, x25519
Type: key_share (51)
Length: 1263
Key Share extension
Client Key Share Length: 1261
Key Share Entry: Group: Reserved (GREASE), Key Exchange length: 1
Group: Reserved (GREASE) (2570)
Key Exchange Length: 1
Key Exchange: 00
Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
Group: X25519MLKEM768 (4588)
Key Exchange Length: 1216
Key Exchange […]: 1751b087c2b230685b906546742bc13c35ccbc4750ae391873418c4c6178e34336077bb6ca53499d865b822993c6f3a8051a325e73c1aec7aa01003f1b53b38c7c9909f952df6a5a6b6a2d3547ad5b0538ef090594e2c9f7b5c36beb1d11e87374122f70c8b02e935d8c6531d82
Key Share Entry: Group: x25519, Key Exchange length: 32
Group: x25519 (29)
Key Exchange Length: 32
Key Exchange: 52d1164b9bad282aa9103c36c6a3e8654c80cdf7e8d2ce59756d1e8d40506447
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: psk_key_exchange_modes (len=2)
Type: psk_key_exchange_modes (45)
Length: 2
PSK Key Exchange Modes Length: 1
PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
Extension: supported_versions (len=7) TLS 1.3, TLS 1.2
Type: supported_versions (43)
Length: 7
Supported Versions length: 6
Supported Version: Reserved (GREASE) (0x6a6a)
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
Extension: application_layer_protocol_negotiation (len=14)
Type: application_layer_protocol_negotiation (16)
Length: 14
ALPN Extension Length: 12
ALPN Protocol
ALPN string length: 2
ALPN Next Protocol: h2
ALPN string length: 8
ALPN Next Protocol: http/1.1
Extension: compress_certificate (len=3)
Type: compress_certificate (27)
Length: 3
Algorithms Length: 2
Algorithm: brotli (2)
Extension: application_settings (len=5)
Type: application_settings (17613)
Length: 5
ALPS Extension Length: 3
Supported ALPN List
Supported ALPN Length: 2
Supported ALPN: h2
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: signature_algorithms (len=18)
Type: signature_algorithms (13)
Length: 18
Signature Hash Algorithms Length: 16
Signature Hash Algorithms (8 algorithms)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (4)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (5)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (6)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Extension: server_name (len=17) name=m.stripe.com
Type: server_name (0)
Length: 17
Server Name Indication extension
Server Name list length: 15
Server Name Type: host_name (0)
Server Name length: 12
Server Name: m.stripe.com
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Session Ticket: <MISSING>
Extension: encrypted_client_hello (len=250)
Type: encrypted_client_hello (65037)
Length: 250
Client Hello type: Outer Client Hello (0)
Cipher Suite: HKDF-SHA256/AES-128-GCM
KDF Id: HKDF-SHA256 (1)
AEAD Id: AES-128-GCM (1)
Config Id: 242
Enc length: 32
Enc: f170f4da067d4193a239c3478c5ff1e3290c0c0fe62652fad92a8092d6ed0f2f
Payload length: 208
Payload […]: 457ea879e61a997e46bf8fa271006f58e3f296d297ef256f83c70d2d817be54b02e5f8df7a349066618bf4e5ffcccd450aa55880f64f73244989d662dac31754262298254f257580c7c9a25bdf58915af8798dede1b48031d60941ac7b346aa640440f170ddfb6e0d198e084ed670c53
Extension: Reserved (GREASE) (len=1)
Type: Reserved (GREASE) (10794)
Length: 1
Data: 00
[JA4: t13d1516h2_8daaf6152771_d8a2da3f94cd]
[JA4_r: t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,44cd,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601]
[JA3 Fullstring: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,18-10-5-23-51-11-45-43-16-27-17613-65281-13-0-35-65037,4588-29-23-24,0]
[JA3: 51f2aa3d1d7f128be5a7f1a9e0e913be]
GPT-5.2 Thinking
Análisis “en cebolla” del Frame 2566 (Wireshark) --- explicación línea por línea
Contexto general: este frame es tráfico saliente desde tu host 192.168.1.130 hacia m.stripe.com:443 y contiene un TLS ClientHello (inicio del handshake TLS). Es una pieza muy útil en ciberseguridad porque, aunque el contenido posterior vaya cifrado, el ClientHello expone metadatos (SNI, ALPN, suites, extensiones) usados para fingerprinting , detección de MITM/downgrade y visibilidad de dependencias externas.
1) Frame (metadatos de captura)
• Frame 2566: Packet, 1840 bytes on wire (14720 bits), 1840 bytes captured (14720 bits) on interface \Device\NPF_{…}, id 0
Paquete #2566. Longitud en el medio/enlace: 1840 bytes , y se capturaron los 1840 (no hay truncado). Interfaz NPF de Windows (Npcap), id interno 0.
• Section number: 1
Sección 1 del pcapng.
• Interface id: 0 (\Device\NPF_{…})
Interfaz 0 dentro del archivo de captura.
• Interface name: \Device\NPF_{…}
Nombre del dispositivo en Windows.
• Interface description: Wi-Fi
La interfaz lógica es Wi‑Fi.
• Encapsulation type: Ethernet (1)
Wireshark lo recibe encapsulado como Ethernet II (típico en capturas Wi‑Fi en Windows: no ves cabeceras 802.11 reales).
• Arrival Time: Feb 26, 2026 20:26:04.545848000 Hora estándar romance
Hora local del sistema.
• UTC Arrival Time: Feb 26, 2026 19:26:04.545848000 UTC
Misma marca de tiempo en UTC.
• Epoch Arrival Time: 1772133964.545848000
Timestamp UNIX epoch.
• [Time shift for this packet: 0.000000000 seconds]
No hay ajuste manual del tiempo.
• [Time delta from previous captured frame: 279.000 microseconds]
279 µs desde el frame anterior capturado.
• [Time delta from previous displayed frame: 434.000 microseconds]
434 µs desde el frame anterior mostrado (puede variar si hay filtros).
• [Time since reference or first frame: 29.615148000 seconds]
~29.6 s desde el frame de referencia (normalmente el primero).
• Frame Number: 2566
Número de frame.
• Frame Length: 1840 bytes (14720 bits)
Tamaño real a nivel de enlace.
• Capture Length: 1840 bytes (14720 bits)
Tamaño guardado en el pcap: completo.
• [Frame is marked: False]
No marcado manualmente.
• [Frame is ignored: False]
No ignorado.
• [Protocols in frame: eth:ethertype:ip:tcp:tls]
Capas identificadas: Ethernet → IPv4 → TCP → TLS. (Aquí no aparecen X.509 porque todavía estás en ClientHello; los certificados suelen venir del servidor después.)
• Character encoding: ASCII (0)
Preferencia de representación de texto (no afecta al parseo del binario TLS).
• [Coloring Rule Name: TCP]
Regla de color aplicada: TCP.
• [Coloring Rule String: tcp]
Patrón que activó el color.
2) Capa 2 --- Ethernet II
• Ethernet II, Src: Intel_2d:65:59 (94:e6:f7:2d:65:59), Dst: zte_0c:f8:0b (2c:70:4f:0c:f8:0b)
Trama Ethernet desde la MAC Intel (tu equipo) hacia la MAC ZTE (probable AP/router). Indica tráfico saliente .
• Destination: zte_0c:f8:0b (2c:70:4f:0c:f8:0b)
MAC destino (ZTE).
• … ..0. … … … … = LG bit: Globally unique address (factory default)
Bit U/L = 0: global (no localmente administrada).
• … …0 … … … … = IG bit: Individual address (unicast)
Bit I/G = 0: unicast.
• Source: Intel_2d:65:59 (94:e6:f7:2d:65:59)
MAC origen (Intel).
• … ..0. … … … … = LG bit: Globally unique address (factory default)
Global.
• … …0 … … … … = IG bit: Individual address (unicast)
Unicast.
• Type: IPv4 (0x0800)
EtherType 0x0800 = IPv4.
• [Stream index: 0]
Índice interno de stream a nivel Ethernet (Wireshark).
3) Capa 3 --- IPv4
• Internet Protocol Version 4, Src: 192.168.1.130 (192.168.1.130), Dst: m.stripe.com (54.191.222.115)
IP origen privada (tu host) hacia IP pública que resuelve a m.stripe.com.
• 0100 … = Version: 4
IPv4.
• … 0101 = Header Length: 20 bytes (5)
Cabecera IPv4 mínima (sin opciones).
• Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
DSCP por defecto, ECN no usado.
• 0000 00.. = Differentiated Services Codepoint: Default (0)
DSCP=0.
• … ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
ECN=0.
• [Total Length: 1826 bytes (reported as 0, presumed to be because of “TCP segmentation offload” (TSO))]
Clave para analistas: Wireshark presume 1826 bytes pero dice que el campo fue “reportado como 0” por efecto de TSO .Qué significa (ciberseguridad/forense): con offloading, el SO puede entregar a la NIC un “super‑segmento” y la NIC lo fragmenta en segmentos reales al transmitir. En capturas locales puedes ver campos (longitud, checksum) “raros” o no validados. No asumas corrupción/malicia solo por esto.
• Identification: 0x47f3 (18419)
ID de fragmentación IPv4.
• 010. … = Flags: 0x2, Don’t fragment
DF activo (no fragmentar).
• 0… … = Reserved bit: Not set
Reservado a 0.
• .1.. … = Don’t fragment: Set
DF=1.
• ..0. … = More fragments: Not set
MF=0.
• …0 0000 0000 0000 = Fragment Offset: 0
Offset 0 (no fragmentado).
• Time to Live: 128
TTL=128 (muy típico en Windows). No es prueba, pero es una señal de fingerprint pasivo.
• Protocol: TCP (6)
L4 es TCP.
• Header Checksum: 0x0000 [validation disabled]
Checksum IP aparece 0 y no se valida. Esto encaja con offloading/TSO (no concluyente por sí solo).
• [Header checksum status: Unverified]
No verificado.
• Source Address: 192.168.1.130 (192.168.1.130)
IP origen.
• Destination Address: m.stripe.com (54.191.222.115)
IP destino (con nombre resuelto por Wireshark).
• [Stream index: 35]
Índice interno a nivel IP.
4) Capa 4 --- TCP
• Transmission Control Protocol, Src Port: 54197 (54197), Dst Port: https (443), Seq: 1, Ack: 1, Len: 1786
TCP desde tu puerto efímero 54197 hacia 443. Len: 1786 es el payload TCP (contiene el ClientHello TLS).
• Source Port: 54197 (54197)
Puerto efímero cliente.
• Destination Port: https (443)
Puerto servidor.
• [Stream index: 18]
TCP stream #18.
• [Stream Packet Number: 4]
Paquete #4 dentro del stream (probablemente ya pasó SYN, SYN/ACK, ACK).
• [Conversation completeness: Incomplete, DATA (15)]
Conversación incompleta para Wireshark (no vio todo). Indicadores observados:
• ..0. … = RST: Absent
No se vio reset.
• …0 … = FIN: Absent
No se vio cierre FIN.
• … 1… = Data: Present
Hay datos.
• … .1.. = ACK: Present
Hay ACKs.
• … ..1. = SYN-ACK: Present
Se vio SYN-ACK.
• … …1 = SYN: Present
Se vio SYN.
• [Completeness Flags: ··DASS]
Resumen: Data, ACK, SYN, SYN-ACK.
• [TCP Segment Len: 1786]
Payload TCP en este segmento: 1786.
• Sequence Number: 1 (relative sequence number)
Seq relativo 1.
• Sequence Number (raw): 4239626271
Seq real (32 bits).
• [Next Sequence Number: 1787 (relative sequence number)]
1 + 1786 = 1787.
• Acknowledgment Number: 1 (relative ack number)
ACK relativo 1.
• Acknowledgment number (raw): 821914665
ACK real.
• 0101 … = Header Length: 20 bytes (5)
Cabecera TCP mínima, sin opciones.
• Flags: 0x018 (PSH, ACK)
Flags PSH+ACK (entrega rápida a la app; habitual en handshakes).
• 000. … … = Reserved: Not set
• …0 … … = Accurate ECN: Not set
• … 0… … = Congestion Window Reduced: Not set
• … .0.. … = ECN-Echo: Not set
• … ..0. … = Urgent: Not set
• … …1 … = Acknowledgment: Set
• … … 1… = Push: Set
• … … .0.. = Reset: Not set
• … … ..0. = Syn: Not set
• … … …0 = Fin: Not set
• Resumen visual: A(ACK) y P(PSH).[TCP Flags: ·······AP···]
• Window: 65535
Ventana anunciada (control de flujo).
• [Calculated window size: 65535]
Igual tras cálculo.
• [Window size scaling factor: -2 (no window scaling used)]
No se está usando window scaling (o no se negoció/observó).
• Checksum: 0xd763 [unverified]
Checksum TCP no verificado (muy común con offloading).
• [Checksum Status: Unverified]
No verificado.
• Urgent Pointer: 0
Sin urgencia.
• [Timestamps]
• [Time since first frame in this TCP stream: 186.074000 milliseconds]
Este paquete llega ~186 ms después del primero del stream.
• [Time since previous frame in this TCP stream: 434.000 microseconds]
434 µs desde el anterior del stream.
• [SEQ/ACK analysis]
• [iRTT: 185.640000 milliseconds]
RTT inicial estimado ~185.64 ms.
• [Bytes in flight: 1786]
Bytes en vuelo (sin ACK aún) en esta dirección.
• [Bytes sent since last PSH flag: 1786]
Métrica interna.
• [Client Contiguous Streams: 1]
Heurística: 1 bloque contiguo cliente.
• [Server Contiguous Streams: 1]
Heurística: 1 bloque contiguo servidor.
• TCP payload (1786 bytes)
Aquí empieza TLS (ClientHello).
5) Capa 5/6 --- TLS (ClientHello)
• Transport Layer Security
Wireshark detecta TLS sobre TCP.
• [Stream index: 18]
Pertenece al TCP stream 18.
TLS Record header (capa “Record Layer”)
• TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Es un record TLS que transporta handshake “ClientHello”. (Wireshark lo etiqueta así; en escenarios TLS 1.3 hay campos “legacy”.)
• Content Type: Handshake (22)
Tipo 22 = handshake.
• Version: TLS 1.0 (0x0301)
En TLS moderno (especialmente TLS 1.3) el record puede llevar una versión legacy/compatibilidad (0x0301). No significa necesariamente “estoy usando TLS 1.0”.
• Length: 1781
Longitud del fragmento TLS dentro del record.
Handshake message: ClientHello
• Handshake Protocol: Client Hello
• Handshake Type: Client Hello (1)
• Length: 1777
Longitud del mensaje ClientHello.
• Version: TLS 1.2 (0x0303)
Campo legacy_version dentro de ClientHello (típico en TLS 1.3: suele ir como 0x0303). La versión real soportada se anuncia en supported_versions.
• [Expert Info (Chat/Deprecated): This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
Wireshark avisa: este campo debe ignorarse si está supported_versions.
• [This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
• [Severity level: Chat]
Severidad informativa.
• [Group: Deprecated]
Agrupado como “campo legacy”.
• Random: cdf003bfb3ab4528d22c0cb48c8f2f400e6087388c16aae35361cb0cd1ca1964
32 bytes de aleatoriedad del cliente (clave para derivación de secretos).
• GMT Unix Time: Jun 27, 2079 04:34:39.000000000 Hora de verano romance
Wireshark interpreta los primeros 4 bytes como timestamp “a la antigua”, pero en clientes modernos puede ser simplemente aleatorio (no tomes 2079 como “fecha real”).
• Random Bytes: b3ab4528d22c0cb48c8f2f400e6087388c16aae35361cb0cd1ca1964
Resto de bytes aleatorios.
• Session ID Length: 32
• Session ID: 741d58ad0256d4e4c776d9a6cc57fdfe25b834e3e8eec5beb33211aab20dfeba
Identificador de sesión “legacy”. En TLS moderno se usa por compatibilidad y para ciertos flujos de reanudación/estado.
• Cipher Suites Length: 32
• Cipher Suites (16 suites)
El cliente ofrece 16 suites (el servidor elegirá 1). Desde ciberseguridad, esto es material de fingerprinting y también indica compatibilidad (y si aún se ofrecen suites antiguas).
• Cipher Suite: Reserved (GREASE) (0xbaba)
GREASE: valor “falso” para evitar ossification (que middleboxes rompan cosas nuevas).
• Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Suite TLS 1.3 (AEAD AES‑128‑GCM, HKDF/SHA‑256).
• Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
TLS 1.3 (AES‑256‑GCM, SHA‑384).
• Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS 1.3 (ChaCha20‑Poly1305).
• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS 1.2 ECDHE + ECDSA + AES‑GCM.
• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS 1.2 ECDHE + RSA + AES‑GCM.
• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
• Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
• Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS 1.2 con CBC+SHA1 (legacy/compatibilidad; no implica que se use).
• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
• Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
RSA key exchange (sin forward secrecy) si un servidor lo eligiera.
• Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
• Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
• Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
• Compression Methods Length: 1
• Compression Methods (1 method)
• Compresión TLS desactivada (lo normal; evita ataques tipo CRIME a nivel TLS “clásico”).Compression Method: null (0)
• Extensions Length: 1672
Tamaño total del bloque de extensiones (grande: típico de navegadores modernos).
6) Extensiones TLS (una por una)
• Extension: Reserved (GREASE) (len=0)
• Type: Reserved (GREASE) (35466)
Tipo GREASE.
• Length: 0
• No hay datos (longitud 0), Wireshark marca “missing” como placeholder.Data: <MISSING>
• Extension: signed_certificate_timestamp (len=0)
• Type: signed_certificate_timestamp (18)
• Indica soporte/solicitud relacionada con SCT/CT (el servidor puede enviar SCTs).Length: 0
• Extension: supported_groups (len=12)
• Type: supported_groups (10)
• Length: 12
• Supported Groups List Length: 10
• Supported Groups (5 groups)
Grupos ECDHE/KEM que el cliente soporta:
• Supported Group: Reserved (GREASE) (0x0a0a)
• Supported Group: X25519MLKEM768 (0x11ec)
Wireshark lo etiqueta como un grupo híbrido X25519+MLKEM768 (post‑quantum/híbrido). A nivel defensivo: indicador de cliente moderno.
• Supported Group: x25519 (0x001d)
X25519 clásico (muy común).
• Supported Group: secp256r1 (0x0017)
• Supported Group: secp384r1 (0x0018)
• Extension: status_request (len=5)
• Type: status_request (5)
• Length: 5
• Certificate Status Type: OCSP (1)
Solicita OCSP stapling (el servidor puede “pegar” estado de revocación).
• Responder ID list Length: 0
• Request Extensions Length: 0
• Extension: extended_master_secret (len=0)
• Type: extended_master_secret (23)
• Mitigación para ciertos ataques a TLS 1.2 (triple handshake). Buena señal de compatibilidad segura.Length: 0
• Extension: key_share (len=1263) X25519MLKEM768, x25519
• Type: key_share (51)
• Length: 1263
• Key Share extension
• Client Key Share Length: 1261
• Key Share Entry: Group: Reserved (GREASE), Key Exchange length: 1
• Group: Reserved (GREASE) (2570)
• Key Exchange Length: 1
• Key Exchange: 00
• Key Share Entry: Group: X25519MLKEM768, Key Exchange length: 1216
• Group: X25519MLKEM768 (4588)
• Key Exchange Length: 1216
• Material criptográfico del intercambio (truncado).Key Exchange […]: 1751b087c2b2…
• Key Share Entry: Group: x25519, Key Exchange length: 32
• Group: x25519 (29)
• Key Exchange Length: 32
• Key Exchange: 52d1164b9bad282aa9103c36c6a3e8654c80cdf7e8d2ce59756d1e8d40506447
• Extension: ec_point_formats (len=2)
• Type: ec_point_formats (11)
• Length: 2
• EC point formats Length: 1
• Elliptic curves point formats (1)
• Formato de puntos EC (legacy, pero aún aparece por compatibilidad TLS 1.2).EC point format: uncompressed (0)
• Extension: psk_key_exchange_modes (len=2)
• Type: psk_key_exchange_modes (45)
• Length: 2
• PSK Key Exchange Modes Length: 1
• Para TLS 1.3 PSK/resumption: indica que si usa PSK, quiere además (EC)DHE (mejor que PSK “puro”).PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
• Extension: supported_versions (len=7) TLS 1.3, TLS 1.2
• Type: supported_versions (43)
• Length: 7
• Supported Versions length: 6
• Supported Version: Reserved (GREASE) (0x6a6a)
• Supported Version: TLS 1.3 (0x0304)
• Aquí se ve claro: soporta TLS 1.3 y 1.2.Supported Version: TLS 1.2 (0x0303)
• Extension: application_layer_protocol_negotiation (len=14)
• Type: application_layer_protocol_negotiation (16)
• Length: 14
• ALPN Extension Length: 12
• ALPN Protocol
• ALPN string length: 2
• ALPN Next Protocol: h2
Ofrece HTTP/2.
• ALPN string length: 8
• Ofrece HTTP/1.1 como fallback.ALPN Next Protocol: http/1.1
• Extension: compress_certificate (len=3)
• Type: compress_certificate (27)
• Length: 3
• Algorithms Length: 2
• Pide compresión de certificados con Brotli (reduce tamaño del handshake; útil en latencia).Algorithm: brotli (2)
• Extension: application_settings (len=5)
• Type: application_settings (17613)
• Length: 5
• ALPS Extension Length: 3
• Supported ALPN List
• Supported ALPN Length: 2
• Wireshark lo interpreta como “application_settings/ALPS”: sirve para negociar settings de la capa de aplicación (comúnmente relacionado con HTTP/2). (No me invento más: me ciño a lo que muestra Wireshark.)Supported ALPN: h2
• Extension: renegotiation_info (len=1)
• Type: renegotiation_info (65281)
• Length: 1
• Renegotiation Info extension
• Extensión de renegociación segura (TLS 1.2/legacy). En TLS 1.3 no hay renegociación, pero se anuncia por compatibilidad con middleboxes.Renegotiation info extension length: 0
• Extension: signature_algorithms (len=18)
• Type: signature_algorithms (13)
• Length: 18
• Signature Hash Algorithms Length: 16
• Signature Hash Algorithms (8 algorithms)
Algoritmos que el cliente acepta para firmas del servidor:
• Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
• Signature Hash Algorithm Hash: SHA256 (4)
• Signature Hash Algorithm Signature: ECDSA (3)
• Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
• Signature Hash Algorithm Hash: Unknown (8)
• Wireshark no lo desglosa bien aquí, pero arriba ya lo identifica como RSA‑PSS+SHA256.Signature Hash Algorithm Signature: Unknown (4)
• Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
• Signature Hash Algorithm Hash: SHA256 (4)
• Signature Hash Algorithm Signature: RSA (1)
• Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
• Signature Hash Algorithm Hash: SHA384 (5)
• Signature Hash Algorithm Signature: ECDSA (3)
• Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
• Signature Hash Algorithm Hash: Unknown (8)
• Signature Hash Algorithm Signature: Unknown (5)
• Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
• Signature Hash Algorithm Hash: SHA384 (5)
• Signature Hash Algorithm Signature: RSA (1)
• Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
• Signature Hash Algorithm Hash: Unknown (8)
• Signature Hash Algorithm Signature: Unknown (6)
• Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
• Signature Hash Algorithm Hash: SHA512 (6)
• Signature Hash Algorithm Signature: RSA (1)
• Extension: server_name (len=17) name=m.stripe.com
• Type: server_name (0)
• Length: 17
• Server Name Indication extension
• Server Name list length: 15
• Server Name Type: host_name (0)
• Server Name length: 12
• SNI: el hostname va en claro (salvo que ECH sea aceptado y efectivamente “oculte” el SNI real vía Inner CH; aquí vemos que al menos en el Outer aparece ).Server Name: m.stripe.comm.stripe.com
• Extension: session_ticket (len=0)
• Type: session_ticket (35)
• Length: 0
• Extensión presente con longitud 0: indica soporte para tickets (reanudación), pero no incluye ticket aquí.Session Ticket: <MISSING>
• Extension: encrypted_client_hello (len=250)
• Type: encrypted_client_hello (65037)
• Length: 250
• Client Hello type: Outer Client Hello (0)
Esto indica intento/uso de ECH (Encrypted ClientHello): se envía un “Outer” visible y un “Inner” cifrado.
• Cipher Suite: HKDF-SHA256/AES-128-GCM
Suite HPKE usada para cifrar el Inner.
• KDF Id: HKDF-SHA256 (1)
• AEAD Id: AES-128-GCM (1)
• Identificador que referencia una configuración ECH del servidor (normalmente distribuida por DNS HTTPS/SVCB).Config Id: 242
• Enc length: 32
• Enc: f170f4da067d4193a239c3478c5ff1e3290c0c0fe62652fad92a8092d6ed0f2f
Clave encapsulada/ephemeral del intercambio HPKE (32 bytes sugiere un KEM/curva de 32 bytes, pero no afirmo más porque aquí no se muestra explícito).
• Payload length: 208
• Payload cifrado (Inner ClientHello), truncado.Payload […]: 457ea879e61a99…
• Extension: Reserved (GREASE) (len=1)
• Type: Reserved (GREASE) (10794)
• Length: 1
• Otra extensión GREASE con 1 byte de datos.Data: 00
7) Fingerprints (JA4 / JA3) --- metadatos para detección
• [JA4: t13d1516h2_8daaf6152771_d8a2da3f94cd]
Fingerprint JA4 calculado por Wireshark a partir del ClientHello (útil para detección/atribución; más robusto que JA3 en algunos escenarios).
• [JA4_r: t13d1516h2_002f,0035,009c,009d,1301,1302,1303,c013,c014,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0012,0017,001b,0023,002b,002d,0033,44cd,fe0d,ff01_0403,0804,0401,0503,0805,0501,0806,0601]
Representación “raw” que enumera suites/extensiones/grupos/algoritmos usados para derivar el JA4. (Es muy usado en blue team para clasificar clientes y detectar anomalías/impersonation.)
• [JA3 Fullstring: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,18-10-5-23-51-11-45-43-16-27-17613-65281-13-0-35-65037,4588-29-23-24,0]
Cadena JA3 (version, ciphers, extensiones, grupos, formatos EC). Material clásico para fingerprinting pasivo .
• [JA3: 51f2aa3d1d7f128be5a7f1a9e0e913be]
Hash MD5 del JA3 fullstring (el “JA3” que suele almacenarse en SIEM/IDS).
Lectura defensiva rápida (sin inventar)
• Es un ClientHello muy “de navegador moderno” : TLS 1.3+1.2, ALPN h2, GREASE, key_share con x25519 y un grupo híbrido X25519MLKEM768, compresión de certificado brotli, y ECH (Outer ClientHello) .
• Ojo con análisis forense: varias rarezas (IP total length “0”, checksums “unverified”) son compatibles con TSO/offloading y no necesariamente manipulación.
• El bloque JA3/JA4 es oro para SOC: puedes crear detecciones tipo “este host de repente cambia de fingerprint” (posible malware, proxy raro, librería TLS distinta, etc.).
Si quieres, pega el ServerHello del mismo Stream index: 18 (o dime el frame) y te explico cómo confirmar si ECH fue aceptado y qué suite/version final se negoció.