This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

All the http protocol packets captured are ssl protected

0

I used to get packets in wireshark, where http protocols were not encrypted but recently every packet with application data in my wireshark captured packets is ssl encrypted. There is not even one packet where I can see http protocol(ie when I filter with http, the result is always empty). It's protocol is always TLsv1.1 and the data is encrypted, for every packet thats supposed to be http. So basically I cannot see the header information. Can anyone reply as to why this is happening. Thanks!

asked 30 Jun '13, 12:40

athina's gravatar image

athina
11112
accept rate: 0%

What are the source and destination ports of the SSL packets you're seeing?

(30 Jun '13, 17:23) Guy Harris ♦♦

the server's port(source/ dest) is generally https(443) and my computer's (57715 , 57810, etc). The ip addresses are of google, facebook, or quora. Everything is in https mode and ssl encrypted. Any ideas as to why this is happening?

(30 Jun '13, 21:54) athina

3 Answers:

0

Is the traffic always between yur IP address and one specific remote address? Then are you running some kind of SSL-VPN software?

answered 30 Jun '13, 12:47

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

There are multiple ip addresses from/to where the packets are encrypted. Even when I refresh my browser with websites like google.com, yahoo.com, etc, the dns packets are captured but there is no http protocol packet, only ssl encrypted packets which does say that the application data is http, but that data is encypted and I cannot read the header info. I have typed some of those ips into my browser and it took me to websites like google.com. So basically every http protocol is being ssl encrypted. I have no VPN, but I did run a server on this computer(now turned off). Any ideas why this might be happening?

(30 Jun '13, 21:40) athina

Any ideas why this might be happening?

See my answer.

(30 Jun '13, 23:20) Guy Harris ♦♦

0

the server's port(source/ dest) is generally https(443) and my computer's (57715 , 57810, etc). The ip addresses are of google, facebook, or quora. Everything is in https mode and ssl encrypted. Any ideas as to why this is happening?

Because whatever software on your computer is contacting those hosts (browser, or whatever) either

  1. is using an https:// URL, which means it's asking for HTTP-over-SSL;
  2. the site is set up to redirect ordinary HTTP requests to the https:// URL, so it uses SSL.

In case 1, all your HTTP traffic will be over SSL. In case 2, the initial HTTP request will not be over SSL, and the response to it will not be over SSL, but that response will just tell the browser (or other client software) to use an https:// URL, and all subsequent HTTP traffic will be over SSL.

For example, my Facebook account is set up to switch to SSL by default, so even if I go to http://www.facebook.com, it will switch to https://www.facebook.com.

answered 30 Jun '13, 23:19

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I think its not 1 because: the browser shows https in the address bar for some and not for others. Besides I have tried both safari and chrome. For example after the site in loaded the address bar shows both kinds of url :

a) http://www.nytimes.com/ b) https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2

I think it shouldn't be 2 because : If the initial http request is not over SSL then if I filtered wireshark capture with the keyword http, some result should have appeared but the result is completely empty. Is it possible that the initial ssl request happens over tcp?

(01 Jul '13, 00:39) athina

0

Can anyone reply as to why this is happening. Thanks!

because you (probably) installed a plug-in into your browser (Firefox, Chrome) that does opportunistic encryption, like HTTPS Finder or HTTPS Everywhere

The same holds true for any other browser. After a (recent) system update that browser version might try to find encrypted versions of a web site and then only use SSL/TLS to those sites.

Regards
Kurt

answered 01 Jul '13, 02:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%