Why doesn't TLS show up in protocol column?
I have two full caps from two devices talking to each other, from the same time period. In one I can clearly see there is a packet marked as 'Client Hello' in the info column, with 'TLSv1.2' in the proto column. However, the same packet from the other device (using TCP seq number to locate it) shows up as only TCP.
If I highlight the one in the capture that isn't displaying the 'TLS and Client Hello' info; right-click, select decode, change 'TCP port' to 'TLS port' and click OK it still shows only TCP.
Interesting side-note: I exported the one packet from each of the captures in case I had the option to attach them to my post, and found that when I opened the one that came from the full capture where I could see can the 'Hello Client', it now shows only TCP (and again, decoding doesn't change the display). Meanwhile, the full original capture continues to display the additional information.
Is 'Allow subdissector to reassemble TCP streams ' and 'Reassemble out-of-order segments' enabled in the TCP protocol preferences?
Are you able to uoload the captures to a public file-share and add the link here?
See also: https://blog.packet-foo.com/2016/11/t...
'Reassemble out-of-order segments' wasn't checked. I was in a different capture from the same device where I'm not seeing TLS in the proto col, and when I checked it all the appropriate packets displayed TLS. However, I opened the original pcap and found it still wasn't showing up correctly. I then closed both pcaps and opened one at a time: the one that changed after I enabled 'Reassemble ...' still showed packets with TLS, while the original continued to show just TCP.
I've anonymized my pcaps (I have all three: the original two, plus the one I was looking at when I enabled 'Reassemble ...') and can share my folder on OneDrive, but I need an email addr to include. If providing me an email is not an option please let me know which 'public share' I can use - I'll sign up and put them there.
Thanks!
I think you can share any file on OneDrive by creating a public link. If that does not work, you are welcome to email the link to me on [email protected]
Ok, I think I figured it out: https://1drv.ms/u/s!AqBdAG5eRNF7h4wo2...
Sorry - forgot to add the files; I had to use my personal OneDrive instead of my Business, so I need to transfer them. They should be there in a few mins.
They've been copied. It's definitely very odd, because now when I open all three files (after renaming them) they all don't show the TLS. Meanwhile, after sanitizing and then opening each, I was able to see the behavior I reported for each.
Dev1 is the device where I could see the TLS. Dev2 is the device where I couldn't, and Dev3 is the one where I updated the TCP option and all the corresponding packets started showing TLS.
When anonimizing, you kept the option to remove the payload on, which means evenrything after TCP is deleted (ie the TLS headers and content), could you try anonimizing again?
Done. Thanks!