This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Client Handshake is missing

0

I used WireShark 1.10.13, 1.12.4 and 1.99.5 -- none of them produce Client Hello handshake on UI, Server Hello is present. The only filter used is "ip.addr==?". What am I missing ?

asked 14 Apr '15, 05:15

Tikker's gravatar image

Tikker
6112
accept rate: 0%

What OS? Are all client generated packets missing?

(14 Apr '15, 05:21) grahamb ♦

Can you please upload a sample capture file somewhere (google drive, dropbox, cloudshark.org) and post the link here?

(14 Apr '15, 08:47) Kurt Knochner ♦

WireShark doesn't show me that any Client Hello Handshake is being done prior to Server Hello. I need to see the cipher list that is being sent over to server. OS is Windows 7, 64-bit. WireShark is also 64-bit.

(14 Apr '15, 09:05) Tikker

See my earlier question about all client packets.

Are you capturing on the server or the client?

(14 Apr '15, 09:07) grahamb ♦

I am capturing on client side. I use openssl s_client -connect servername:443 to generate SSL traffic. SSL traffic is valid, other wise I would get an error with openssl.

(14 Apr '15, 10:31) Tikker

I've converted your "answers" to comments. Please read the FAQ for more details.

(14 Apr '15, 10:40) grahamb ♦
showing 5 of 6 show 1 more comments

One Answer:

2

Likely that some AV or Endpoint Protection or VPN software on the client is preventing capture of the client originated packets.

Fairly frequent question here, see the answer by @Kurt Knochner to this question.

answered 14 Apr '15, 10:43

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

  • I have no AV installed nor any other endpoint protection
  • I disabled FireWall (Netsh advfirewall set allprofiles state off)
  • Uninstalled Cisco's VPN client
  • Resetted TCP/IP (netsh int ip reset)
  • Rebooted

Wireshark is still not able to capture Client Handshake. Any other ideas ? I am using Intel(R) 82579LM NIC. On Windows 2008 R2 I am able to see Client Handshake.

(16 Apr '15, 04:23) Tikker

As I mentioned earlier: Can you please upload a sample capture file somewhere (google drive, dropbox, cloudshark.org) and post the link here?

(16 Apr '15, 12:00) Kurt Knochner ♦

I don't think that a capture file will help you. Because the Client Handshake is simply missing.

Capture file generated on Windows 2008 R2 and opened on Windows 7 is fine and the Client Handshake record is present.

So, the question is the Windwos 7 and some kind of protection "hiding" the Client Handshake.

(16 Apr '15, 23:41) Tikker

You still haven't confirmed if only the Client Handshake is missing from the capture, or all client generated packets.

(17 Apr '15, 02:03) grahamb ♦

Because the Client Handshake is simply missing.

Do you see the SYN and SYN-ACK?

(17 Apr '15, 02:05) Kurt Knochner ♦

So, no client packets at all.

Every time this has come up before, it's been some other software installation interfering with capture of the locally generated packets.

You'll have to recheck what's been installed on the machine.

(17 Apr '15, 05:17) grahamb ♦

TCP Offloading?

(17 Apr '15, 05:31) Kurt Knochner ♦

I am pretty conservative what is being installed. Don't see "TCP Offload" setting on NIC either -- only Protocol ARP/NS Offload and these are disabled.

(17 Apr '15, 07:24) Tikker
showing 5 of 8 show 3 more comments