This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

alt text

In the attached Wireshark window, I'm wondering why the Change Cipher Spec and Encrypted Handshake Message are displayed in two separate packets (19 and 20). While they are displayed in one packet number (22).

Thank you.

asked 27 Aug '14, 15:26

flora's gravatar image

flora
156313338
accept rate: 100%

edited 27 Aug '14, 15:27


Your looking at messages from the client to the server (frames 19 & 20) that each contain an individual record and a message from the server to the client (frame 22) that contains both records.

The capture was likely made at the client so you see the two records as separate frames, before the NIC likely coalesces them onto the wire, and the incoming records from the server have been coalesced into one frame.

permanent link

answered 28 Aug '14, 03:24

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for your explanation.It makes sense but I can't confirm as I didn't capture the traffic by myself and I don't have information about the capture's location. In deed, I'm interested in knowing more about how the NIC can effect the frames as it does in the given example but I'm I'm not sure what the term used to describe this in order to be able to goole it. I'd appreciate if you know it and can mention it here. Thanks.

(21 Oct '14, 02:44) flora

Nagle can be used to coalesce small writes into one TCP segment, but it has other issues so is usually disabled by the application.

Applications can also buffer small writes and then send them to the socket in a larger chunk.

Also, various NIC drivers have offload functionality, where the driver handles all sorts of things, e.g. checksums, and depending on where in the stack the capture is made then different things will be visible in the capture. See @jasper blog article on capturing locally on the target machines.

(21 Oct '14, 03:24) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×637
×319
×44

question asked: 27 Aug '14, 15:26

question was seen: 2,119 times

last updated: 21 Oct '14, 03:24

p​o​w​e​r​e​d by O​S​Q​A