This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ssl continuation data?

1

hello,

can someone please help me understand what 'continuation data' in 'Info' column means? protocol was SSL.

thank you

asked 14 Jun '17, 17:22

rapidusync's gravatar image

rapidusync
5114
accept rate: 0%


One Answer:

0

Frames are marked as "Continuation Data" when the contents are not fully understood. It happens when TLS records are split over multiple TCP segments and one of these cases happen:

  • Capture begins in the middle of an existing SSL/TLS connection, not capturing the begin of a record.
  • Out-of-order packets where the begin and end of a record are swapped (Bug 9461).
  • TCP reassembly is disabled (so while the begin of a record is partially dissected, the second half will not be recognized).

Finally, it could be truly the case that the protocol under analysis is not really TLS. For example, some users could try to bypass firewalls by running their VPN software over port 443 which is registered for HTTPS.

answered 15 Jun '17, 08:35

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%