This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have two separate PCAP files. Both of these PCAP files contain a ClientHello of protocol TLS version 1.0.

How come one of the captures says the ClientHello packet is "SSL" protocol, and the other capture says the ClientHello is "TLSv1" protocol?

asked 16 Nov '12, 16:40

shauer's gravatar image

shauer
16112
accept rate: 0%

can you post those two conversations on cloudshark.org (or similar)?

(17 Nov '12, 14:07) Kurt Knochner ♦

Here are the two captures.

Shows up as "TLSv1": http://cloudshark.org/captures/a5f13d33adcd

Shows up as "SSL": http://cloudshark.org/captures/40569e71513

(19 Nov '12, 09:48) shauer

I see in the uploaded files that both PCAP dumps show the ClientHello as "SSL". This is not what I am seeing in the desktop version of Wireshark.

(19 Nov '12, 09:54) shauer

Desktop version is 1.8.3 (SVN 45256). Desktop is Windows 7 x64.

(19 Nov '12, 09:58) shauer

the link for the second capture file does not work.

UPDATE: I found it myself: http://cloudshark.org/captures/40569e715137

(19 Nov '12, 11:06) Kurt Knochner ♦

If you look at both capture files, you will see, that the one marked as TLSv1 contains ciphers with Diffie Hellman Key Exchange (DHE). Furthermore there is an Extension available:

Extension: SessionTicket TLS

Wireshark starts SSL/TLS dissection by setting the Protocol field to "SSL". Later in the process it will update it, if there are more/other signs regarding the SSL/TLS version.

packet-ssl.c:

/ Initialize the protocol column; we'll set it later when we * figure out what flavor of SSL it is (assuming we don't * throw an exception before we get the chance to do so). / col_set_str(pinfo->cinfo, COL_PROTOCOL, "SSL");

I have not checked your sample in detail in the code, but I believe the TLS Extension (and possibly also the DHE ciphers) lead to an update from SSL to TLSv1 in the protocol field.

Regards
Kurt

permanent link

answered 19 Nov '12, 11:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Nov '12, 11:13

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×75

question asked: 16 Nov '12, 16:40

question was seen: 6,314 times

last updated: 19 Nov '12, 11:50

p​o​w​e​r​e​d by O​S​Q​A