I have two separate PCAP files. Both of these PCAP files contain a ClientHello of protocol TLS version 1.0.
How come one of the captures says the ClientHello packet is "SSL" protocol, and the other capture says the ClientHello is "TLSv1" protocol?
asked 16 Nov '12, 16:40
If you look at both capture files, you will see, that the one marked as TLSv1 contains ciphers with Diffie Hellman Key Exchange (DHE). Furthermore there is an Extension available:
Wireshark starts SSL/TLS dissection by setting the Protocol field to "SSL". Later in the process it will update it, if there are more/other signs regarding the SSL/TLS version.
I have not checked your sample in detail in the code, but I believe the TLS Extension (and possibly also the DHE ciphers) lead to an update from SSL to TLSv1 in the protocol field.
answered 19 Nov '12, 11:12
Kurt Knochner ♦
edited 19 Nov '12, 11:13