I have the following packet when trying to examine an SSL session. This is a local capture but I have a capture from the target network as well. I see the same packet on both ends.
IP's have been changed but the issue is the TLS record length. This is the packet being transmitted and received and the server is able to decrypt and process it correctly. The packet is what I believe to be the "GET" request. I just don't understand why the TLS length is so short. This is not part of a fragment. I am using the WireShark 1.6.2. Is this a problem with WireShark or the traffic? This is not a one off packet, my session contains multiple "malformed" 32 length TLS records, always from my client to the server.
asked 19 Jun '12, 09:34
There is only one way to to be sure whether this issue has been fixed in a later release and that is to test it with a later release. But as I have not seen this kind of behavior with the SSL dissector, my guess is it is a bug triggered by your specific capture that might not have been fixed yet.
If the problem still exists with the latest 1.6.x release, please file a bug report on https://bugs.wireshark.org and attach the capture file (you can mark it as private to make it only available to the core-developers).
answered 20 Jun '12, 06:05