In the attached Wireshark window, I'm wondering why the Change Cipher Spec and Encrypted Handshake Message are displayed in two separate packets (19 and 20). While they are displayed in one packet number (22).
asked 27 Aug '14, 15:26
edited 27 Aug '14, 15:27
Your looking at messages from the client to the server (frames 19 & 20) that each contain an individual record and a message from the server to the client (frame 22) that contains both records.
The capture was likely made at the client so you see the two records as separate frames, before the NIC likely coalesces them onto the wire, and the incoming records from the server have been coalesced into one frame.
answered 28 Aug '14, 03:24