I have captured some data for a client, and the capture is an ssl3. from what I can tell it looks like the servers are communication using the three way handshake, then the two server communicate over a secure, connection, and then a https connection is initiated by one of the server or the application, and finally transitions process ends with fin -ack -ack -Rst, ack and the process start over. Question? Am I correct on that or is something else going on in the trace thanks for the help in advance. asked 13 Jun '13, 09:24  ejohnson7 |
One Answer:
There is no data transfer in the sessions in your tracefile. Although the snaplength prevents Wireshark from displaying the SSL handshake properly, the following sequence can be assumed, based on normal (resumed) SSL handshakes: Between frame 6 and 7 there should have been "ApplicationData" messages if there was data transfer between the two systems. Since the client is closing the connection, and the interval between the sessions is exactly 64 seconds (filter on tcp.flags==2 and look at the time difference between the odd lines and then the time difference between the even lines), it looks like there are two processes on 10.97.4.65 are monitoring the availability of the server by just performing the SSL handshake. EDIT: removed the ServerHelloDone, as it is not part of a resumed SSL handshake answered 13 Jun '13, 10:53  SYN-bit ♦♦ edited 13 Jun '13, 23:48 |
Thank you very much for you advice so sh the reset set are just the connection closing no a bad thing correct
how can you tell there two processess on 10.97.4.65 monitoring this is new to me thanks
I can't tell for sure, but I see two sequences of SYN packets which are exactly 64 seconds apart (frame 1, 19, 37, 55, 73 are 64 seconds apart and frame 10, 28, 46, 64, 82 are 64 seconds apart)