This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

why single SSL packet contains multiple app_data sections

0

Hi there,

While troubleshooting a SSLVPN slowness issue, I noticed the Retransmitted SSL packets contains multiple app_data sections. I don't see this kind of pattern in pcap files from other locations. The VPN Server has Nagle's algorithm turned on, could this be the cause?

The following is an excerpt from the actual capture and in the SAME TCP stream. (For security reasons, the server's public IP is replaced with A.A.A.A). The server was trying to resend TCP Seq 32132 in packet 274, 277 and 281. Notice in each of those packet, there are 3 or 4 "Application Data section"? And also each packet's Next Sequence number is different. Why is that?

274 11:45:14.796000 A.A.A.A 192.168.0.101   **32132**   32282   3923    TLSv1   208 1   [TCP Retransmission] Application Data, Application Data, Application Data, Application Data, Application Data   274

277 11:45:14.830000 A.A.A.A 192.168.0.101 32132 32312 3923 TLSv1 238 1 [TCP Retransmission] Application Data, Application Data, Application Data, Application Data, Application Data, Application Data 277

281 11:45:14.858000 A.A.A.A 192.168.0.101 32132 32312 3950 TLSv1 238 1 [TCP Out-Of-Order] Application Data, Application Data, Application Data, Application Data, Application Data, Application Data 281

Hope someone could kindly clarify. Thanks! ~

asked 17 Nov ‘14, 20:17

Timbit's gravatar image

Timbit
11112
accept rate: 0%