Login/Register
TCP protocol instead of SSL/TLS in Wireshark
Asked Answered
sslencryptionssl-certificatewiresharksslstream
C

1

6

I am trying to use .NET implementation of SslStream by this tutorial. I did everything like in this article, but I have some question. I downloaded RawCap and captured packets from the localhost, after that I opened dump file(.pcap) using Wireshark, but instead of SSL or TLS type of protocol, I saw just TCP: enter image description here Here is the part of the TCP stream:

....l...h..T...........Y.2..1...t.4....8.J...../.5... ....... .2.8.......'..............SslServer. ......................M..T...M.<.......e.E...M.%c...Kg.. .....iKku.^q(C.$..;..Mx......g&./..................0...0.............L.^..F.)...{.0...+......0.1 0...U....MyCA0.. 150228143257Z. 391231235959Z0.1.0...U....SslServer0.."0 ..*.H.. ..........0.. ......p9.cq...F.^....Bm...S... .....Bg.B.<]..f[...<...q'..Tc......R...Z.C.D.D...N...1..0.v..l.<...d[=C.7.8.+^..j(...X.........D'.!*5.^.^Ef..=.6y@.=..)|...Sp..Sv.|h.-..UT..&bG.......J{.7k.X...........:.[o....o.,r.......0..Wi.s.[email protected].....@.. ...f...0.1 0...U....MyCA..(J..j+..K......0...+...........h..X.+.M..{...n.....@.'[email protected],>.9.DE.R.V4t._bGY.,v.>G......J [email protected],%[S._..u...$....!V.r....~...'.~..T*[.#[.?.B{..Z..m.p.9.7.U.u.}.e..c..H^n.:...-AJxs.. ...:... ..u.....YB....2n...y.g=...(.Fv...B.Is..GK.....;.F..Ln.....L...ao [email protected]. ..AddTrust AB1&0$..U....AddTrust External TTP Network1"0 ..U....AddTrust External CA Root..0..1.0...U....US1.0...U. . GeoTrust Inc.1907..U...0(c) 2008 GeoTrust Inc. - For authorized use only1604..U...-GeoTrust Primary Certification Authority - G3.g0e1.0...U....US1.0...U.

Is this correct SSL/TLS stream? And why Wireshark marked it like TCP?

UPD: enter image description here

Contestant answered 1/3, 2015 at 1:46 Comment(8)
This is SSL but since you are using a non-standard port wireshark does not expect SSL there and thus does not decode it automatically. You have to explicitly select SSL with Analyze | Decode As.Pesek
@SteffenUllrich I did what you said, but only a few packets marked like TLSv1 now(please check my update). Is it right?Contestant
The packets not marked with TLSv1 all have a length of 0. These are only ACKs which itself contain no payload and thus don't contain any TLS data.Pesek
@SteffenUllrich but we get only TLSv1 packets if we using HTTPS or other protocols with SSL. It is troubling me...Contestant
I don't understand your problem. Of course you get only TLS packets if you are using a protocol with TLS, like HTTPS. What do you expect?Pesek
@SteffenUllrich oh, sorry, I just now understand it: all packets which have application data(like "hello from client") marked TLSv1, but other ACKs packets use TCP and haven't my data. Is it correct? And where I can read about this?Contestant
Yes you are correct. As for reading about it - I don't know any specific resource but you should probably make yourself familiar with the basics how networks work, how TCP/IP works, how application sit on top of these protocols etc.Pesek
I have this problem too. Rather frustrating.Symposiarch
R
7

By default Wireshark uses TCP port numbers to know if this is standard TCP or TLS/SSL.

If you want to make Wireshark permanently recognize any port as SSL/TLS, then go to Edit > Preferences > Protocols > HTTP > Under SSL/TLS Ports change it from 443 to 443,5555, ... <other TLS/SSL ports go here>.

Also note that SSL traffic is encrypted, and that is why you won't be able to see the actual data being transmitted. If you want Wireshark to decrypt SSL traffic, then you will have to give it your server's private key (reference SSL dissection in Wireshark)

Renvoi answered 22/3, 2018 at 8:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.