This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding spdy after protocol switch

0

I have an unusual SPDY-based protocol that I'm trying to decode. The session begins by the client making an HTTP GET request to the server. The client then makes itself a SPDY server and the server becomes a SPDY client. This allows the server to request data from the client using normal HTTP requests.

I'd like to decode the SPDY packets in wireshark. Except for the initial handshake, the rest of the communication is standard SPDY. But when I configure SSL to decode the port as spdy, the packets still appear as SSL. The SSL Record indicates:

TLSv1 Record Layer: Application Data Protocol: spdy

And I can see the decrypted SSL data. But it doesn't decode the SPDY packet.

If I reconfigure to decode the SSL port as HTTP, then it decodes the initial HTTPS handshake, but the rest of the packets are still listed as SSL.

I'm familiar with dissectors, and am investigating in the source now, but can wireshark handle switching protocols in the middle of a TLS session?

asked 10 Oct '14, 12:32

Rob%20Napier's gravatar image

Rob Napier
26337
accept rate: 100%


One Answer:

0

sounds like Wireshark was not able to decode the SSL/TLS session, maybe because your client/server are using DH/DHE (Diffie Hellmann) ciphers. See also here: https://ask.wireshark.org/questions/37223/wireshark-decryption-limitation

Can you please check this in the SSL debug file?

Edit -> Preferences -> Protocols -> SSL -> SSL debug file

Regards
Kurt

answered 21 Oct '14, 07:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%