This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I was trying to retrieve some details on a TLS 1.2 handshake, in detail on the SERVER_HELLO.

However it looks like the server sends the SERVER_HELLO message split into three TCP packets:

  • SERVER_HELLO packate (size 1434, no certificates)
  • [TCP segment of reassembled PDU] (size 1434)
  • [TCP segment of reassembled PDU] (size 1390)

It looks like this confuses Wireshark that much so that it is only able to apply the TLS SERVER_HELLO dissector on the first packet. Therefore the data of packet 2 and 3 is inaccessible and only displayed as binary/hex data without the possibility to apply a dissector.

As TCP is a stream oriented protocol, it should not make any difference how many packets are received - how to make Wireshark work this was and see the complete SERVER-HELLO packet?

asked 04 Nov '16, 03:31

Wire-Rob's gravatar image

Wire-Rob
1113
accept rate: 0%

Can you share a capture in a publicly accessible spot, e.g. CloudShark?

Attempting to diagnose an issue from your interpretation of it is somewhat difficult.

(04 Nov '16, 03:35) grahamb ♦

@grahamb: How to change the IP addresses in the capture?

(04 Nov '16, 08:00) Wire-Rob

Use an anonymiser such as TraceWrangler.

(04 Nov '16, 08:36) grahamb ♦
1

Are you using a recent Wireshark version? Could it be related to this bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3303

(04 Nov '16, 16:47) Lekensteyn

@Lekensteyn: Yes that sounds exactly like the problem I have. The Wireshark version I use is always the most current.

(05 Nov '16, 04:54) Wire-Rob

I think you'll need to look at your preference settings. Have a look at Sake's SSL presentation given at SharkFest'16 Europe, especially slide 27.

permanent link

answered 04 Nov '16, 05:57

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

edited 04 Nov '16, 11:07

sindy's gravatar image

sindy
6.0k4851

I already have all five options as shown in the presentation: ip.defragment: TRUE tcp.check_checksum: FALSE tcp.desegment_tcp_streams: TRUE ssl.desegment_ssl_records: TRUE ssl.desegment_ssl_application_data: TRUE

(04 Nov '16, 07:57) Wire-Rob
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×637
×75
×30

question asked: 04 Nov '16, 03:31

question was seen: 1,506 times

last updated: 05 Nov '16, 04:54

p​o​w​e​r​e​d by O​S​Q​A