I have a capture that was done using NetMon.
Some of the streams seem disjointed, there are FIN, SYN, RST, PSH ECN flags set.
Also what is weird is that the sequence number has comma's in them, like 1082,0
No idea what to do with this.
asked 16 Oct '17, 14:27
OK, the SSL/TLS dissector somehow thinks that what's being carried over TLS is raw TCP, so, as interpreted by Wireshark, there are (as I suspected) two TCP headers in the packet, and there are therefore
This may just be a bug in Wireshark. Please file a bug in the Wireshark Bugzilla, and attach the raw capture file (not a screenshot, but the raw capture file) to the bug. In order to determine the cause of the bug, and to test the fix, we need the raw capture file, so that we can see how Wireshark dissects it, and make sure it dissects it correctly once we've made a fix.
answered 17 Oct '17, 11:35
Guy Harris ♦♦
edited 17 Oct '17, 11:36