I was trying to retrieve some details on a TLS 1.2 handshake, in detail on the SERVER_HELLO. However it looks like the server sends the SERVER_HELLO message split into three TCP packets:
It looks like this confuses Wireshark that much so that it is only able to apply the TLS SERVER_HELLO dissector on the first packet. Therefore the data of packet 2 and 3 is inaccessible and only displayed as binary/hex data without the possibility to apply a dissector. As TCP is a stream oriented protocol, it should not make any difference how many packets are received - how to make Wireshark work this was and see the complete SERVER-HELLO packet? asked 04 Nov '16, 03:31  Wire-Rob |
One Answer:
I think you'll need to look at your preference settings. Have a look at Sake's SSL presentation given at SharkFest'16 Europe, especially slide 27. answered 04 Nov '16, 05:57  Jaap ♦ edited 04 Nov '16, 11:07  sindy I already have all five options as shown in the presentation: (04 Nov '16, 07:57) Wire-Rob |
Can you share a capture in a publicly accessible spot, e.g. CloudShark?
Attempting to diagnose an issue from your interpretation of it is somewhat difficult.
@grahamb: How to change the IP addresses in the capture?
Use an anonymiser such as TraceWrangler.
Are you using a recent Wireshark version? Could it be related to this bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3303
@Lekensteyn: Yes that sounds exactly like the problem I have. The Wireshark version I use is always the most current.