I am using the pre-master-secret to decrypt SSL web traffic. I can see the reassembled and decrypted packets just fine. It works great! Thanks for this feature, by the way. The negotiated version of TLS is TLSv1 for this session but I sometimes see TLSv1 in the protocol field and sometimes see SSL in the protocol field in the same stream. The TLS that has been decrypted is shown as HTTP but the SSL segments of a reassembled PDU are show as either TLSv1 or SSL -- even though it is all supposed to be TLSv1. How is this protocol field determined? Thanks. Sally asked 03 Jul '13, 07:39 serrano |