Ask Your Question
0

Ignored Unknown Record

asked 2018-03-26 16:59:50 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

While looking into the TCP dump, I am just seeing,

    [Expert Info (Warning/Protocol): Ignored Unknown Record]

I am not able to attach the tcpdump. I am tried all wireshark settings, without any help. So, anything will be greatly appreciated.

edit retag flag offensive close merge delete

Comments

You can share the capture file on a public share, e.g. CloudShark, Google Drive, DropBox etc. and edit your question with a link to the file

grahamb gravatar imagegrahamb ( 2018-03-26 17:15:15 +0000 )edit

You could investigate the file using the capinfos command line program first.

Jaap gravatar imageJaap ( 2018-03-27 17:44:48 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-01-22 18:05:33 +0000

bugChaser gravatar image

updated 2025-01-23 09:00:28 +0000

grahamb gravatar image

FWIW... {Unknown Record Transport Layer Security The “Ignored Unknown Record” message in Wireshark typically indicates that the TLS record structure in a packet is not recognized by Wireshark. This can occur due to several reasons:

  • Reassembly Settings: If reassembly has been turned off in the protocol preferences, TLS records spanning multiple packets will not be recognized. You should check and adjust your TCP and TLS protocol preferences to ensure reassembly is enabled.
  • TLS Record Dissection: The message might appear if Wireshark cannot correctly dissect a TLS record. This can happen if the TLS record is malformed or if there is a bug in the Wireshark dissector.
  • Checksum Issues: Checksum errors can also prevent reassembly from succeeding. Ensure that checksum checking is turned off at the Ethernet, IP, and TCP layers.
  • TLS Record Size: Sometimes, Wireshark may report an “Ignored Unknown Record” if the TLS ciphertext length exceeds the maximum allowed size, which is 2 14 +2048 bytes. This is often a false positive and can be ignored if the TLS handshake and other records appear normal.}

Possibly a piece of a buffer overrun attack as these packets occur after a series of tcp.completeness (60) packets.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-03-26 16:59:50 +0000

Seen: 12,704 times

Last updated: 29 mins ago

Related questions

Step by step SSL decrypt with wireshark

Unable to write to standard output: The pipe is being closed.

Can't see encrypted application data in SSL session

How to use rawshark to analyse a pcap file which is generated by tcpdump?

Link layer header type for serial/UART communication

TCP Retransmission requests from IPTV Server and TCP Dup Ack Requests from Client

802.11n capture with PPI encapsulation containing HTTP data - help

sshdump does not connect and provides no error

How to capture traffic of the device (router) I am connected with

Monitoring raspberry pi vpn