1 | initial version |
A picture gives very limited options to analyse this situation. Pulling this capture file through Trace Wrangler and putting it on a public accessible file share site gets you further.
Also without knowing where the capture was made makes analysis even more limited. So what can we tell? From the looks of it it seems that we're only seeing traffic from client (port 51824) to server (443), but never the other way round. While from the reactions from the client there must be something coming back. That suggest interface bonding, where the capture is made on the standby interface. It might be that the other side of the bonded network link is some wonky equipment spewing this stuff on this link? Hard to tell without further details.