This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have an unusual SPDY-based protocol that I'm trying to decode. The session begins by the client making an HTTP GET request to the server. The client then makes itself a SPDY server and the server becomes a SPDY client. This allows the server to request data from the client using normal HTTP requests.

I'd like to decode the SPDY packets in wireshark. Except for the initial handshake, the rest of the communication is standard SPDY. But when I configure SSL to decode the port as spdy, the packets still appear as SSL. The SSL Record indicates:

TLSv1 Record Layer: Application Data Protocol: spdy

And I can see the decrypted SSL data. But it doesn't decode the SPDY packet.

If I reconfigure to decode the SSL port as HTTP, then it decodes the initial HTTPS handshake, but the rest of the packets are still listed as SSL.

I'm familiar with dissectors, and am investigating in the source now, but can wireshark handle switching protocols in the middle of a TLS session?

asked 10 Oct '14, 12:32

Rob%20Napier's gravatar image

Rob Napier
26337
accept rate: 100%


sounds like Wireshark was not able to decode the SSL/TLS session, maybe because your client/server are using DH/DHE (Diffie Hellmann) ciphers. See also here: https://ask.wireshark.org/questions/37223/wireshark-decryption-limitation

Can you please check this in the SSL debug file?

Edit -> Preferences -> Protocols -> SSL -> SSL debug file

Regards
Kurt

permanent link

answered 21 Oct '14, 07:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×319
×4

question asked: 10 Oct '14, 12:32

question was seen: 6,226 times

last updated: 21 Oct '14, 07:09

p​o​w​e​r​e​d by O​S​Q​A