This is a static archive of our old Q&A Site. Please post any new questions and answers at

SSL Dissector - TLSv1 versus SSL


I have two separate PCAP files. Both of these PCAP files contain a ClientHello of protocol TLS version 1.0.

How come one of the captures says the ClientHello packet is "SSL" protocol, and the other capture says the ClientHello is "TLSv1" protocol?

asked 16 Nov '12, 16:40

shauer's gravatar image

accept rate: 0%

can you post those two conversations on (or similar)?

(17 Nov '12, 14:07) Kurt Knochner ♦

Here are the two captures.

Shows up as "TLSv1":

Shows up as "SSL":

(19 Nov '12, 09:48) shauer

I see in the uploaded files that both PCAP dumps show the ClientHello as "SSL". This is not what I am seeing in the desktop version of Wireshark.

(19 Nov '12, 09:54) shauer

Desktop version is 1.8.3 (SVN 45256). Desktop is Windows 7 x64.

(19 Nov '12, 09:58) shauer

the link for the second capture file does not work.

UPDATE: I found it myself:

(19 Nov '12, 11:06) Kurt Knochner ♦

One Answer:


If you look at both capture files, you will see, that the one marked as TLSv1 contains ciphers with Diffie Hellman Key Exchange (DHE). Furthermore there is an Extension available:

Extension: SessionTicket TLS

Wireshark starts SSL/TLS dissection by setting the Protocol field to "SSL". Later in the process it will update it, if there are more/other signs regarding the SSL/TLS version.


/ Initialize the protocol column; we'll set it later when we * figure out what flavor of SSL it is (assuming we don't * throw an exception before we get the chance to do so). / col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");

I have not checked your sample in detail in the code, but I believe the TLS Extension (and possibly also the DHE ciphers) lead to an update from SSL to TLSv1 in the protocol field.


answered 19 Nov '12, 11:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 19 Nov '12, 11:13