How can Wireshark indicate SSL Application Data as HTTP?

0

Hi all

I am analyzing a captured TLS/SSL session with Wireshark. Although I know that its a HTTPS session I wonder how Wireshark can indicate the Application Data as HTTP too. Every since the record structure for Application Data provides Content Type (23) and Application Data Length only!

Example: SSLv3 Record Layer: Application Data Protocol: http

Any help on this is very much appreciated! Thanks

asked 14 Aug '12, 07:08

sky21's gravatar image

sky21
1112
accept rate: 0%

One Answer:
oldestnewestmost voted
0

I wonder how Wireshark can indicate the Application Data as HTTP too

it cannot. That peace of information is just added by the HTTP dissector while registering the SSL dissector to handle SSL/TLS sessions.

See:

packet-http.c -> range_add_http_ssl_callback()

Regards
Kurt

link

answered 14 Aug '12, 08:05

Kurt%20Knochner's gravatar image

Kurt Knochner
8.8k52077
accept rate: 15%

edited 14 Aug '12, 08:07

Hi Kurt and thanks for the information so far!

But... how DOES the SSL dissector know, that it encapsulates an encrypted HTTP content? Is it because of the target tcp port 443 (...which might indicate that HTTPS service is used)?

(15 Aug '12, 22:32) sky21

(I converted your answer to a comment, please reread the FAQ)

Yes, Identification is done based on the port number. The HTTP dissector tells the SSL dissector that all traffic on port 443 is encrypted HTTP traffic. Even though it might not be.

(15 Aug '12, 23:50) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×23
×8

Asked: 14 Aug '12, 07:08

Seen: 610 times

Last updated: 15 Aug '12, 23:50

Related questions

Upgraded to Comcast Business Connection, HTTPS Sites Flaky?!

HTTP transmission or not???

slow website only with one ISP

Unable to download file in HTTPS

can NOT capture secure packets eg https

Mysterious dup acks, retransmissions with PCs at just two sites with HTTPS

SSL decrypting problem

Webservice seems to pause in wireshark and then wake up and respond

SSL decryption only works in promiscuous mode?

Lot of traffic to 173.194.41.67

about | faq | privacy | support | contact

powered by OSQA