I analyzed a file today regarding an SSL session (or at least attempt thereof). The fourth packet in line should be a Client Hello packet with all the necessary SSL data underneath. But it wasn't. It only showed a PSH,ACK type of packet.
When comparing this to a similar file (in which the SSL sessions successfully initiated) I did see the Client Hello packet. Although the size of the two packets was exactly the same, one showed as a Client Hello packet, the other as a regular TCP packet. Even when specifically specifying the packet as being part of the SSL protocol (right click > decode as), it refused to show me more info in the details pane.
I only got the issue resolved by isolating this one packet in a separate file and then opening it again. Only then was it shown as an SSL packet and could I see the details.
I added a screenshot to avoid heavy scrubbing. Can anyone give me an explanation as to why Wireshark shows this behavior? It must have something to do with the fact the SSL handshake failed.
asked 15 Feb '16, 08:23
answered 17 Feb '16, 08:36