This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can Wireshark indicate SSL Application Data as HTTP?

0

Hi all

I am analyzing a captured TLS/SSL session with Wireshark. Although I know that its a HTTPS session I wonder how Wireshark can indicate the Application Data as HTTP too. Every since the record structure for Application Data provides Content Type (23) and Application Data Length only!

Example: SSLv3 Record Layer: Application Data Protocol: http

Any help on this is very much appreciated! Thanks

asked 14 Aug '12, 07:08

sky21's gravatar image

sky21
1112
accept rate: 0%

One Answer:

0

I wonder how Wireshark can indicate the Application Data as HTTP too

it cannot. That peace of information is just added by the HTTP dissector while registering the SSL dissector to handle SSL/TLS sessions.

See:

packet-http.c -> range_add_http_ssl_callback()

Regards
Kurt

answered 14 Aug '12, 08:05

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 14 Aug '12, 08:07

Hi Kurt and thanks for the information so far!

But... how DOES the SSL dissector know, that it encapsulates an encrypted HTTP content? Is it because of the target tcp port 443 (...which might indicate that HTTPS service is used)?

(15 Aug '12, 22:32) sky21

(I converted your answer to a comment, please reread the FAQ)

Yes, Identification is done based on the port number. The HTTP dissector tells the SSL dissector that all traffic on port 443 is encrypted HTTP traffic. Even though it might not be.

(15 Aug '12, 23:50) SYN-bit ♦♦