This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Handshake - only the Client Hello shows in the trace

0

I am tracing traffic between an iPhone and our Exchange server. When the iPhone syncs, Wireshark shows only the Client Hello. The remainder of the handshake does not show. I know the handshake is successful and that encrypted data is passed because email is synced, and Schannel Event ID 36880 "An SSL server handshake completed successfully" is generated soon after the Client Hello.

What am I missing?

Thanks.

asked 12 Dec '13, 11:22

sejong's gravatar image

sejong
11113
accept rate: 0%


One Answer:

0

Perhaps partially answering my own question - the behavior I posted was when the iPhone was connected to the Internet via the cellular data network (Verizon, in this case). I retried it with the iPhone connected to the Internet via WiFi - all the expected elements of the handshake appeared in the Wireshark trace.

Update - The previous WiFi connection was internal. A WiFi connection routed via the Internet has the same behavior as over the cellular data network.

Typical details: Frame 1 is from the iPhone to the server, SSL protocol, destination port is 443 (this is the Client Hello) Frame 2 is from the iPhone to the server, TCP protocol, destination port is 443 Frame 3 is from the server to the iPhone, TCP protocol, source port is 443 Frame 4 is from the iPhone to the server, TCP protocol, destination port is 443

answered 12 Dec '13, 12:46

sejong's gravatar image

sejong
11113
accept rate: 0%

edited 13 Dec '13, 16:57