This is a static archive of our old Q&A Site. Please post any new questions and answers at

TLS1.2 Hello Requests


Hello, can somebody have a look and confirm that wireshark is right in interpreting 4 zeroes as Hello Requests. Anyone knows what that is?
Regards Matthias alt text Trace is available on Cloudshark TLS1.2_HS.pcapng

asked 04 Apr '15, 10:12

mrEEde's gravatar image

accept rate: 20%

edited 04 Apr '15, 22:48

One Answer:


Your capture is using an AEAD cipher suite. These have an explicit nonce in their TLSCipherText fragment data:

  struct {
     opaque nonce_explicit[SecurityParameters.record_iv_length];
     aead-ciphered struct {
         opaque content[TLSCompressed.length];
  } GenericAEADCipher;

This explicit nonce for AES-GCM cipher suites may be a 64-bit counter which is also the case in your capture. The heuristics of Wireshark works as follows: if the record fragment for a Handshake message can be "decoded" (because the initial byte is a valid handshake message type), it will be dissected.

So what you are seeing is a bug that occurs when the records cannot be decrypted, and only occurs when using the AES-GCM AEAD cipher suites.

answered 04 Apr '15, 10:45

Lekensteyn's gravatar image

accept rate: 30%

Thanks for the explanation.

(04 Apr '15, 22:44) mrEEde