This is a static archive of our old Q&A Site. Please post any new questions and answers at

SSL’s Handshake Dissecting


alt text

In the attached Wireshark window, I'm wondering why the Change Cipher Spec and Encrypted Handshake Message are displayed in two separate packets (19 and 20). While they are displayed in one packet number (22).

Thank you.

asked 27 Aug '14, 15:26

flora's gravatar image

accept rate: 100%

edited 27 Aug '14, 15:27

One Answer:


Your looking at messages from the client to the server (frames 19 & 20) that each contain an individual record and a message from the server to the client (frame 22) that contains both records.

The capture was likely made at the client so you see the two records as separate frames, before the NIC likely coalesces them onto the wire, and the incoming records from the server have been coalesced into one frame.

answered 28 Aug '14, 03:24

grahamb's gravatar image

grahamb ♦
accept rate: 22%

Thanks for your explanation.It makes sense but I can't confirm as I didn't capture the traffic by myself and I don't have information about the capture's location. In deed, I'm interested in knowing more about how the NIC can effect the frames as it does in the given example but I'm I'm not sure what the term used to describe this in order to be able to goole it. I'd appreciate if you know it and can mention it here. Thanks.

(21 Oct '14, 02:44) flora

Nagle can be used to coalesce small writes into one TCP segment, but it has other issues so is usually disabled by the application.

Applications can also buffer small writes and then send them to the socket in a larger chunk.

Also, various NIC drivers have offload functionality, where the driver handles all sorts of things, e.g. checksums, and depending on where in the stack the capture is made then different things will be visible in the capture. See @jasper blog article on capturing locally on the target machines.

(21 Oct '14, 03:24) grahamb ♦