This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what is the reason behind a client sending Encrypted Alert & FIN Packets?

0

Hi,

We are facing application disconnection issue for an Oracle Application. It is a client software based application, not a web based. From the packet capture we observed that at the time of disconnection, client sends an "Encrypted Alert" packet following the FIN packet.

alt text

I would like to know at what scenario, a client sends an "Encrypted Alert" & FIN Packets. It doesn't seems abnormal as it happened 100 times during a session from 8:54AM to 11:23AM, but client got disconnected only one time, around 11:15AM with the below error.

alt text

Hope if someone can explain it in my basic knowledge level.

Thank You.

Regards, Shanavas Abdul Rahman

asked 18 Aug '15, 04:18

shanavaska's gravatar image

shanavaska
6112
accept rate: 0%


One Answer:

1

See the answer to this question.

Basically an "Encrypted Alert" is a TLS notification, in your case the notification is likely that the session is stopping.

See also Analysis of a TLS Session for a reasonable explanation of what's happening in a TLS session from start to end.

answered 18 Aug '15, 04:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 18 Aug '15, 04:26

Hi Graham,

Thank you for your response.

From the explanation I can understand that "Encrypted Alert" is a "Close Notify" message to initialize the closure of a SSL/TLS session. This will be sent by Server. But in our case, client is sending the "Encrypted Alert" and don't know the reason behind. Is it because of application designed to work in this way or due to some abnormal TCP behavior client is initiating SSL shutdown?

Appreciate your quick response.

Thank You.

(26 Aug '15, 01:30) shanavaska

From the error message it would appear that the application on the client had some sort of network issue, and subsequently closed the session.

You'll need to work with the application vendor to find out more.

(26 Aug '15, 02:43) grahamb ♦