This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am tracing traffic between an iPhone and our Exchange server. When the iPhone syncs, Wireshark shows only the Client Hello. The remainder of the handshake does not show. I know the handshake is successful and that encrypted data is passed because email is synced, and Schannel Event ID 36880 "An SSL server handshake completed successfully" is generated soon after the Client Hello.

What am I missing?

Thanks.

asked 12 Dec '13, 11:22

sejong's gravatar image

sejong
11113
accept rate: 0%


Perhaps partially answering my own question - the behavior I posted was when the iPhone was connected to the Internet via the cellular data network (Verizon, in this case). I retried it with the iPhone connected to the Internet via WiFi - all the expected elements of the handshake appeared in the Wireshark trace.

Update - The previous WiFi connection was internal. A WiFi connection routed via the Internet has the same behavior as over the cellular data network.

Typical details: Frame 1 is from the iPhone to the server, SSL protocol, destination port is 443 (this is the Client Hello) Frame 2 is from the iPhone to the server, TCP protocol, destination port is 443 Frame 3 is from the server to the iPhone, TCP protocol, source port is 443 Frame 4 is from the iPhone to the server, TCP protocol, destination port is 443

permanent link

answered 12 Dec '13, 12:46

sejong's gravatar image

sejong
11113
accept rate: 0%

edited 13 Dec '13, 16:57

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×44

question asked: 12 Dec '13, 11:22

question was seen: 3,689 times

last updated: 13 Dec '13, 16:57

p​o​w​e​r​e​d by O​S​Q​A