This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can anyone decode this Encrypted Alert please?

0

The hex data shown below is a TLSv1 packet taken from a Wireshark trace. It shows an Encrypted Alert message according to Wireshark. The only problem is I cannot work out just what the alert really is - according to my research on the web the alert code level and description bytes contain the values 53 and AD - however these do not correspond to any values I can find. I believe the level code can be 1 or 2 and the description can be one of about 30 codes but decimal 173 is not one of these. Could anyone be good enough to enlighten me as to where I am going wrong in my analysis of the message and, ideally, tell me what the alert code really is? Many thanks.

0000 00 1e 4f ae ac 2d 00 15 e9 28 85 8b 08 00 45 00 ..O..-...(....E. 0010 00 4d 44 64 40 00 33 06 c0 00 c3 e1 bc c1 c0 a8 [email protected] 0020 01 fb 01 bb c4 65 b7 c7 fc 59 cf 6b 1d 28 50 18 .....e...Y.k.(P. 0030 00 36 b3 28 00 00 15 03 01 00 20 53 ad 3c 5d c6 .6.(...... S.<]. 0040 96 44 3c cd 88 6f fa 0d 36 a5 99 84 0e c2 2c e5 .D<..o..6.....,. 0050 b3 d2 e3 48 00 78 50 0c 20 d2 a7 ...H.xP. ..

asked 24 Jun '12, 11:17

Bernard46's gravatar image

Bernard46
1334
accept rate: 0%

edited 24 Jun '12, 11:19


One Answer:

0

I may have found the answer to my own question! Searching round the web a bit more I came across a post elsewhere which suggested that the actual codes are encrypted, hence the "Encrypted" Alert! I would be grateful if anyone can confirm this - it would explain why I seem to be seeing a lot of different alert codes with no consistency and none of them appear in the TLS specifications!

It may be that I have to try and find the developers and ask them if they would mind debugging this area in order to find out what is going on!

answered 24 Jun '12, 15:37

Bernard46's gravatar image

Bernard46
1334
accept rate: 0%