I have two separate PCAP files. Both of these PCAP files contain a ClientHello of protocol TLS version 1.0. How come one of the captures says the ClientHello packet is "SSL" protocol, and the other capture says the ClientHello is "TLSv1" protocol? asked 16 Nov '12, 16:40  shauer |
One Answer:
If you look at both capture files, you will see, that the one marked as TLSv1 contains ciphers with Diffie Hellman Key Exchange (DHE). Furthermore there is an Extension available:
Wireshark starts SSL/TLS dissection by setting the Protocol field to "SSL". Later in the process it will update it, if there are more/other signs regarding the SSL/TLS version. packet-ssl.c:
I have not checked your sample in detail in the code, but I believe the TLS Extension (and possibly also the DHE ciphers) lead to an update from SSL to TLSv1 in the protocol field. Regards answered 19 Nov '12, 11:12  Kurt Knochner ♦ edited 19 Nov '12, 11:13 |
can you post those two conversations on cloudshark.org (or similar)?
Here are the two captures.
Shows up as "TLSv1": http://cloudshark.org/captures/a5f13d33adcd
Shows up as "SSL": http://cloudshark.org/captures/40569e71513
I see in the uploaded files that both PCAP dumps show the ClientHello as "SSL". This is not what I am seeing in the desktop version of Wireshark.
Desktop version is 1.8.3 (SVN 45256). Desktop is Windows 7 x64.
the link for the second capture file does not work.
UPDATE: I found it myself: http://cloudshark.org/captures/40569e715137