This is our old Q&A Site. Please post any new questions and answers at


How does wireshark recognizes: Handshake protocol: Encrypted Handshake message. From the rfc, it doesn't seem to have this type? how can we recognize it from the bytes?

Diana & Shahar

asked 18 Mar '15, 06:33

Dianalab9's gravatar image

accept rate: 0%

edited 19 Mar '15, 03:42

grahamb's gravatar image

grahamb ♦

Wireshark lists this as an "Encrypted Handshake" message because:

  1. It sees from the SSL record that it is a handshake message
  2. The communication is encrypted, as "ChangeCipherSpec" indicates that the negtiated session keys will from that point on be used to encrypt the communication.

When you tell Wireshark to do SSL decryption (by using the private key of the server), the message would have been decrypted and you would see that it is indeed one of the listed handshake messages.

permanent link

answered 19 Mar '15, 02:59

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Thanks alot!

(19 Mar '15, 03:15) Dianalab9

Handshake messages are encrypted after ChangeCipherSpec message with appropriate preceding parameters.

From RFC 5246 (TLS 1.2), section 7.4. Handshake protocol:

The TLS Handshake Protocol is one of the defined higher-level clients of the TLS Record Protocol. This protocol is used to negotiate the secure attributes of a session. Handshake messages are supplied to the TLS record layer, where they are encapsulated within one or more TLSPlaintext structures, which are processed and transmitted as specified by the current active session state.

The current state is described in section 6.1. Connection states:

The security parameters for the pending states can be set by the TLS Handshake Protocol, and the ChangeCipherSpec can selectively make either of the pending states current, in which case the appropriate current state is disposed of and replaced with the pending state; the pending state is then reinitialized to an empty state. It is illegal to make a state that has not been initialized with security parameters a current state. The initial current state always specifies that no encryption, compression, or MAC will be used.

In practice, you will see unencrypted Client Hello, Server Hello, Certificate, Server Key Exchange, Certificate Request, Certificate Verify and Client Key Exchange messages. The Finished handshake message is encrypted since it occurs after the Change Cipher Spec message.

permanent link

answered 19 Mar '15, 06:26

Lekensteyn's gravatar image

accept rate: 30%

Thank you. The above helped but we have one more question: We have a single frame that the beginning of it's SSL Bytes are (Hex) 16 03 03 00 40 01 ..... 16 - is content type HANDSHAKE 03 03 - version 00 40 - length 01 - message type 'Client Hello'

For some reason wireshark recognizes it as Encrypted Handshake Message. We assume wireshark is right but we don't understand how it recognizes it as Encrypted Handshake Message instead of Client Hello.

Can you please explain?

(20 Jul '15, 02:27) Dianalab9

Does it really dissect said part as encrypted handshake message? ContentType 16 (=22, Handshake) and HandshakeType 1 (ClientHello) can actually be dissected. Got a packet capture that you can share?

(20 Jul '15, 03:41) Lekensteyn

alt text

(21 Jul '15, 05:12) Dianalab9

I've published below partial screen shot; can you take a look?

(21 Jul '15, 05:13) Dianalab9

@Dianalab9 that screenshot is not helpful, it contains no additional information. Can you reproduce it with a recent Wireshark stable version, say, the 1.12.z series?

(22 Jul '15, 11:54) Lekensteyn

You are talking about HTTP over TLS, so you should look for SSL.

TLS 1.0 (0x0301) TLS 1.1 (0x0302) TLS 1.2 (0x0303)

permanent link

answered 18 Mar '15, 07:41

Roland's gravatar image

accept rate: 13%

We've looked at this but it only has the following: case hello_request: HelloRequest; case client_hello: ClientHello; case server_hello: ServerHello; case certificate: Certificate; case server_key_exchange: ServerKeyExchange; case certificate_request: CertificateRequest; case server_hello_done: ServerHelloDone; case certificate_verify: CertificateVerify; case client_key_exchange: ClientKeyExchange; case finished: Finished;

How do we recognize: "Handshake protocol: Encrypted Handshake message"

(18 Mar '15, 08:19) Dianalab9

What are you trying to achieve? Do you want to filter only for packets that contain "Encrypted Handshake message" or do you want to write some script/program and you want to know how to identify it?

(18 Mar '15, 12:29) Roland
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 18 Mar '15, 06:33

question was seen: 12,421 times

last updated: 22 Jul '15, 11:54

p​o​w​e​r​e​d by O​S​Q​A