This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TLS1.2 Hello Requests

2

Hello, can somebody have a look and confirm that wireshark is right in interpreting 4 zeroes as Hello Requests. Anyone knows what that is?
Regards Matthias alt text Trace is available on Cloudshark TLS1.2_HS.pcapng

asked 04 Apr '15, 10:12

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 04 Apr '15, 22:48


One Answer:

1

Your capture is using an AEAD cipher suite. These have an explicit nonce in their TLSCipherText fragment data:

  struct {
     opaque nonce_explicit[SecurityParameters.record_iv_length];
     aead-ciphered struct {
         opaque content[TLSCompressed.length];
     };
  } GenericAEADCipher;

This explicit nonce for AES-GCM cipher suites may be a 64-bit counter which is also the case in your capture. The heuristics of Wireshark works as follows: if the record fragment for a Handshake message can be "decoded" (because the initial byte is a valid handshake message type), it will be dissected.

So what you are seeing is a bug that occurs when the records cannot be decrypted, and only occurs when using the AES-GCM AEAD cipher suites.

answered 04 Apr '15, 10:45

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Thanks for the explanation.

(04 Apr '15, 22:44) mrEEde