This is a static archive of our old Q&A Site. Please post any new questions and answers at

DTLS decipher “Application Data” becomes “Continuation Data”



I am using Wireshark 2.0.0 to debug an embedded system that uses DTLS to offload sensitive data with a custom protocol to a PC over WiFi/UDP. Openssl 1.0.2 is in use on both ends and the cipher suite is RSA-AES128-SHA. It took me several hours today to figure out that having the client send its certificate to the server (as well as the usual server-to-client exchange) was confusing the decrypting dissector, which seems only capable of sniffing out the master key if the server behaves like a regular TLS-enabled web server or something. problem...I turned the client certificate presentation off and now I can see my packets beautifully decompressed and deciphered IN THE DTLS DISSECTOR'S DEBUG LOG.

BUT, of course, I'd like to see cleartext of each packet with each packet in the GUI. I notice that before I started trying to decrypt DTLS, my post-handshake packets were all labeled "Application Data" -- now, with the decryption in place, they are all labeled "Continuation Data." Looking at the dissector source, it appears that's what it does when it can't classify a DTLS packet (?). This makes sense as the DTLS section for a packet in the GUI now only shows the topmost level DTLS information (packet type number, length, sequence number). Whereas before it would show the "encrypted data" as well.

So my question is, how do I get the packet cleartext and stats into the GUI, or, failing that, at least correlate the info now in the debug log with the packet trace? Is there some magic I can do with "Decode as..." to force this? Is my setup borked? Or is the dissector currently incapable of handling app data payloads that are custom and weird to it?


asked 16 Dec '15, 22:38

PatchyFog's gravatar image

accept rate: 0%