This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Handshake Certificate hidden

0

i cannot figure out why when i apply the filter ssl.handshake.certificate to a trace i see nothing and others in the same unit with the same trace see the packets. is there a setting to ignore or hide these packets?

asked 09 Sep '13, 10:21

mhumphries73's gravatar image

mhumphries73
11112
accept rate: 0%


3 Answers:

0

Is your session using a well-known ssl port number like 443? Otherwise you need to use the 'decode as' function and map the connection to SSL protocol

answered 09 Sep '13, 11:06

mrEEde2's gravatar image

mrEEde2
3364614
accept rate: 20%

it is not however i have added the port (7043) to the http protocol information in preferences ( i also tried the decode as ) still nothing.

(09 Sep '13, 13:20) mhumphries73

can you add a screenshot of your wireshark showing the ssl packet and possibly provide the trace file on www.cloudshark.org

(10 Sep '13, 09:17) mrEEde2

0

Please make sure you have the following protocol settings configured:

  • IP: disable "Validate the IPv4 checksum if possible"
  • TCP: disable "Validate the TCP checksum if possible"
  • TCP: enable "Allow subdissector to reassemble TCP streams"
  • SSL: enable "Reassemble SSL records spanning multiple TCP segments"
  • SSL: enable "Reassemble SSL Application Data spanning multiple SSL records" (not strictly needed for displaying the certificate message, but might be needed for decryption application data)

answered 09 Sep '13, 22:06

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

•TCP: enable "Allow subdissector to reassemble TCP streams" had to be changed but that did not correct the issue :(

(10 Sep '13, 09:02) mhumphries73

One more setting that might be of influence (where there are retransmissions or duplicate packets in the trace):

TCP: enable "Do not call subdissectors for error packets"

(10 Sep '13, 11:05) SYN-bit ♦♦

0

is there a setting to ignore or hide these packets?
i have added the port (7043) to the http protocol information in preferences ( i also tried the decode as ) still nothing.

maybe the SSL dissector is disabled on your system. Please check:

Analyze -> Enabled Protocols -> SSL

Regards
Kurt

answered 10 Sep '13, 07:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Sep '13, 07:20

verified that this setting is enabled

(10 Sep '13, 08:28) mhumphries73

as you have checked and tested several options, I suggest to compare the settings of your colleagues with your settings.

So, please get a copy of their Wireshark settings (%APPDATA%\Wireshark*) and compare that with your settings. You can use a visual diff tool for that, like WinMerge (http://winmerge.org)

(10 Sep '13, 14:59) Kurt Knochner ♦