Ask Your Question

Why am I seeing TLS running over HTTP?

asked 2021-03-25 06:16:12 +0000

SDLR gravatar image

updated 2021-03-25 21:30:29 +0000

Guy Harris gravatar image

How is it that whireshark places TLS over HTTP whereas in the OSI model, TSL belongs to layers 5 and 6 while HTTP to layer 7 ?

with OSI model

layer 7 : HTTP layer 5 and 6: TLS

with wireshark:

Frame Internet II IPv4 TCP Hypertext transfert Protocol Transport Layer Security

Thank you for any help.

edit retag flag offensive close merge delete


Can you share the capture that shows this behaviour? Use a public share such as CloudShark, Google Drive or DropBox etc. and post a link back here.

grahamb gravatar imagegrahamb ( 2021-03-25 08:27:48 +0000 )edit

whireshark places TLS over HTTP

For normal https traffic, Wireshark doesn't place TLS over HTTP.

If you're seeing HTTP over TCP and TLS over HTTP, that's something unusual, so we'd need to see a capture of that traffic to see what's being done there.

Guy Harris gravatar imageGuy Harris ( 2021-03-25 21:30:01 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-03-25 08:49:24 +0000

hugo.vanderkooij gravatar image

Well, can you decode TLS to actually read the content?

Otherwise TCP port 443 implies HTTPS and TLS is detected. So the representation may look odd but this is the order in which things are discovered as you read the packet.

And it may also depend a lot on how you detect protocols in WireShark.

But I guess this is more a tomato vs tomato thing. (You drink coffee, I drink tea my dear)

edit flag offensive delete link more


this is the order in which things are discovered as you read the packet.

If you're using https, then you have TLS running over TCP, and HTTP running over TLS. You might not see the HTTP in a packet sniffer unless the sniffer 1) supports TLS decryption and 2) has the information necessary to decrypt the TLS payload, but the encrypted HTTP is there, in the "Application Data" section.

What they're reporting appears to be HTTP running directly over TCP (i.e., plaintext HTTP), with the HTTP payload being TLS. That seems odd, but "odd" doesn't imply "never happens". That's why we'd like to see a network trace to see what's happening.

Guy Harris gravatar imageGuy Harris ( 2021-03-25 21:28:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-03-25 06:16:12 +0000

Seen: 772 times

Last updated: Mar 25 '21