How does wireshark determine SSL protocol?

Question

I'm looking at a capture taken from production, and following through a particular tcp.stream. Excluding the ack packets, most are listed as SSL, but a few are listed as TLSv1. What is wireshark looking at when it makes this distinction.

Additional information: to keep the file from getting out of hand, I'm recording the packets with a snaplen == 68.

The actual traffic in this case is coming from IE9 to our web server. The web server logs report all of the requests as TLSv1.

One particularly interesting example corresponds to a file upload - the http request body has a lot of bytes. In wireshark, I see

SSL    715
SSL   1434
TLSv1 1434
TLSv1 1434
TLSv1 ...
TLSv1 1434
TLSv1 1247
SSL   1115

The reply by the server is marked SSL.

Answer 1

This comment in the dissector code may shine some light on the subject:

    / Initialize the protocol column; we'll set it later when we
     * figure out what flavor of SSL it is (assuming we don't
     * throw an exception before we get the chance to do so). /

So once it has a look at the record layer version it decides what to put in, i.s.o. "SSL"