This is our old Q&A Site. Please post any new questions and answers at

Hello, can somebody have a look and confirm that wireshark is right in interpreting 4 zeroes as Hello Requests. Anyone knows what that is?
Regards Matthias alt text Trace is available on Cloudshark TLS1.2_HS.pcapng

asked 04 Apr '15, 10:12

mrEEde's gravatar image

accept rate: 20%

edited 04 Apr '15, 22:48

Your capture is using an AEAD cipher suite. These have an explicit nonce in their TLSCipherText fragment data:

  struct {
     opaque nonce_explicit[SecurityParameters.record_iv_length];
     aead-ciphered struct {
         opaque content[TLSCompressed.length];
  } GenericAEADCipher;

This explicit nonce for AES-GCM cipher suites may be a 64-bit counter which is also the case in your capture. The heuristics of Wireshark works as follows: if the record fragment for a Handshake message can be "decoded" (because the initial byte is a valid handshake message type), it will be dissected.

So what you are seeing is a bug that occurs when the records cannot be decrypted, and only occurs when using the AES-GCM AEAD cipher suites.

permanent link

answered 04 Apr '15, 10:45

Lekensteyn's gravatar image

accept rate: 30%

Thanks for the explanation.

(04 Apr '15, 22:44) mrEEde
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 04 Apr '15, 10:12

question was seen: 6,487 times

last updated: 04 Apr '15, 22:48

p​o​w​e​r​e​d by O​S​Q​A