Why doesn't TLS show up in protocol column?

asked 2023-01-02 15:37:04 +0000

sflores671 gravatar image

I have two full caps from two devices talking to each other, from the same time period. In one I can clearly see there is a packet marked as 'Client Hello' in the info column, with 'TLSv1.2' in the proto column. However, the same packet from the other device (using TCP seq number to locate it) shows up as only TCP.

If I highlight the one in the capture that isn't displaying the 'TLS and Client Hello' info; right-click, select decode, change 'TCP port' to 'TLS port' and click OK it still shows only TCP.

Interesting side-note: I exported the one packet from each of the captures in case I had the option to attach them to my post, and found that when I opened the one that came from the full capture where I could see can the 'Hello Client', it now shows only TCP (and again, decoding doesn't change the display). Meanwhile, the full original capture continues to display the additional information.

edit retag flag offensive close merge delete

Comments

Is 'Allow subdissector to reassemble TCP streams ' and 'Reassemble out-of-order segments' enabled in the TCP protocol preferences?

André gravatar imageAndré ( 2023-01-02 21:30:02 +0000 )edit

Are you able to uoload the captures to a public file-share and add the link here?

See also: https://blog.packet-foo.com/2016/11/t...

SYN-bit gravatar imageSYN-bit ( 2023-01-03 08:39:06 +0000 )edit

  1. 'Reassemble out-of-order segments' wasn't checked. I was in a different capture from the same device where I'm not seeing TLS in the proto col, and when I checked it all the appropriate packets displayed TLS. However, I opened the original pcap and found it still wasn't showing up correctly. I then closed both pcaps and opened one at a time: the one that changed after I enabled 'Reassemble ...' still showed packets with TLS, while the original continued to show just TCP.

  2. I've anonymized my pcaps (I have all three: the original two, plus the one I was looking at when I enabled 'Reassemble ...') and can share my folder on OneDrive, but I need an email addr to include. If providing me an email is not an option please let me know which 'public share' I can use - I'll sign up and put them there.

Thanks!

sflores671 gravatar imagesflores671 ( 2023-01-03 12:49:21 +0000 )edit

I think you can share any file on OneDrive by creating a public link. If that does not work, you are welcome to email the link to me on [email protected]

SYN-bit gravatar imageSYN-bit ( 2023-01-03 13:14:39 +0000 )edit

Ok, I think I figured it out: https://1drv.ms/u/s!AqBdAG5eRNF7h4wo2...

sflores671 gravatar imagesflores671 ( 2023-01-03 13:27:28 +0000 )edit
see more comments