This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decryption Anomolies

0

Still trying to use wiresharks SSL decryption service. I took Syn-Bits advise and used Data as the protocol decode for the SSL key. There are a few things I don't understand.

Why would the SSL dissector (or perhaps HTTP header decoder) document 2 data fields. The first data field is 1 byte long and contains the ASCII letter G. The second data field starts off with ASCII letters ET followed by the remainder of HTTP header. If I combine the two data fields together, the HTTP GET headers looks fine.

For those that are more intimate with the design...what HTTP header (or SSL dissector) issues would result in the reporting of a "malformed packet"?? I can't see anything wrong and it went thru it byte by byte.

The Analyze Follow SSL Stream facility seems to report the proper HTTP Get and Response. My problem is that I'm trying to "programmatically automate" analysis and need to know the packet number of the GET packet. If its not in the "info" section of the gui display, I'm not sure how to get to the beginning of the http stream ?? If start analysis with the Response, I don't see the GET.

Advise/answers much appreciated..

thanks, Walter ================================================ I should add that the exact error message is:

[Malformed Packet: GIF image]
  [Message: Malformed Packer (Exception occurred)]
  [Severity level: Error]
  [Group: Malformed]

Is the G from my GET somehow being confused with the G for a gif file ?? Strange..

-wk

asked 16 Apr '12, 07:42

wakelt's gravatar image

wakelt
13101013
accept rate: 0%

edited 16 Apr '12, 12:23

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245