This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

i cannot figure out why when i apply the filter ssl.handshake.certificate to a trace i see nothing and others in the same unit with the same trace see the packets. is there a setting to ignore or hide these packets?

asked 09 Sep '13, 10:21

mhumphries73's gravatar image

mhumphries73
11112
accept rate: 0%


Is your session using a well-known ssl port number like 443? Otherwise you need to use the 'decode as' function and map the connection to SSL protocol

permanent link

answered 09 Sep '13, 11:06

mrEEde2's gravatar image

mrEEde2
3364614
accept rate: 20%

it is not however i have added the port (7043) to the http protocol information in preferences ( i also tried the decode as ) still nothing.

(09 Sep '13, 13:20) mhumphries73

can you add a screenshot of your wireshark showing the ssl packet and possibly provide the trace file on www.cloudshark.org

(10 Sep '13, 09:17) mrEEde2

Please make sure you have the following protocol settings configured:

  • IP: disable "Validate the IPv4 checksum if possible"
  • TCP: disable "Validate the TCP checksum if possible"
  • TCP: enable "Allow subdissector to reassemble TCP streams"
  • SSL: enable "Reassemble SSL records spanning multiple TCP segments"
  • SSL: enable "Reassemble SSL Application Data spanning multiple SSL records" (not strictly needed for displaying the certificate message, but might be needed for decryption application data)
permanent link

answered 09 Sep '13, 22:06

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

•TCP: enable "Allow subdissector to reassemble TCP streams" had to be changed but that did not correct the issue :(

(10 Sep '13, 09:02) mhumphries73

One more setting that might be of influence (where there are retransmissions or duplicate packets in the trace):

TCP: enable "Do not call subdissectors for error packets"

(10 Sep '13, 11:05) SYN-bit ♦♦

is there a setting to ignore or hide these packets?
i have added the port (7043) to the http protocol information in preferences ( i also tried the decode as ) still nothing.

maybe the SSL dissector is disabled on your system. Please check:

Analyze -> Enabled Protocols -> SSL

Regards
Kurt

permanent link

answered 10 Sep '13, 07:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Sep '13, 07:20

verified that this setting is enabled

(10 Sep '13, 08:28) mhumphries73

as you have checked and tested several options, I suggest to compare the settings of your colleagues with your settings.

So, please get a copy of their Wireshark settings (%APPDATA%\Wireshark*) and compare that with your settings. You can use a visual diff tool for that, like WinMerge (http://winmerge.org)

(10 Sep '13, 14:59) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×44
×18
×7
×2

question asked: 09 Sep '13, 10:21

question was seen: 9,281 times

last updated: 10 Sep '13, 14:59

p​o​w​e​r​e​d by O​S​Q​A