I'm trying to debug LDAP SSL communication and experience a problem with SSL decryption. After a malformed packet is seen from the client, all the client data are no longer decoded by wireshark. Kindly note that the server data is still decoded by wireshark and the SSL debug file shows some information of the data that was no decrypted in wireshark.
Below is the link to the ssl debug log and a snapshot of the packets as seen in wireshark
SSL debug: link text
image: link text
Could you advise me on a way to resolve that issue so that I could decode all the packets? Could it be a bug?
asked 09 Jan '14, 03:33
edited 09 Jan '14, 03:34
Let's have a look at the 'malformed' frame #21 in the debug log.
As you can see, the decrypted data part (only one byte: 0x30) is not a valid LDAP frame (obvious). The question is, why the dissector believes there is only 32 bytes of ‘app_data len’, whereas the frame len itself is 268 bytes. That does not match. Interesting: The frame and the MAC get decrypted correctly!??!
This could be a dissector bug. Is the frame in question somehow fragmented (at IP level)?
Please open a bug request at https://bugs.wireshark.org
HOWEVER to be able to debug this particular problem, you would have to provide some ‘private’ data, as
I’m not sure if that’s possible, as the ssl debug log suggests you have taken the capture file at a production site !?!
answered 12 Jan ‘14, 14:54
Kurt Knochner ♦