This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Blank screen - diagnose URL connection issue with wireshark

0

Hi guys

I am trying to diagnose a URL connection issue using wire-shark.

We are not blocking planespotters.net on out firewalls / web-sense at all, and we have a route for URL the on firewalls too, but when we go to the URL the page remains blank.

I have run a packet capture for this, and i am seeing the application data being sent, followed by all the ACK's, FIN ACK's, and all the usual guys that need to be there for the connection to go through.

I have also seen only one line stating :

8919 200.864163 10.55.16.232 104.25.211.5 TLSv1.2 85 Encrypted Alert

Not sure what that is or if it could be affecting the connection or not.

But i guess what i am trying to ask is: What specifically should i be looking for in order to see successful connections? Or lack there of would indicate un-successfull connection to the URL?

Any and all help would be much appreciated, thank you

Regards,

Ad

asked 20 Oct '16, 03:28

UnConNecTed's gravatar image

UnConNecTed
6112
accept rate: 0%


One Answer:

0

But i guess what i am trying to ask is: What specifically should i be looking for in order to see successful connections?

Well, that is a very broad question which could be answered by a book on troubleshooting. In your case where a SSL session towards a website (over a websense proxy) is involved one would see in a trace made on the client, the following:

  1. Successful 3-way-handshake to the proxy
  2. Successful SSL handshake to the proxy
  3. Application data (in SSL) towards the proxy
  4. Application data (in SSL) from the proxy back to the client
  5. repeat 3+4 for more objects that are retrieved from the website through the proxy
  6. Encrypted alert from either the proxy or the client to close down the SSL session
  7. Encrypted alert from the other side
  8. FIN/ACK from both sides to close the TCP session
  9. Acknowledgement of both FIN's (where one FIN could be the ACK of the other FIN)

Of course this is just a general idea, analyzing why something is not working would involve looking at the packets. Also, being able to receive data from the proxy down not mean it was the correct data or that it was data that the webbrowser could create a webpage from.

Or lack there of would indicate un-successfull connection to the URL?

Again, this is too broad to answer. But missing parts of the above list might indicate an issue...

answered 20 Oct '16, 04:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%