Why do some TLS packets show 'Application Data' in the 'Info' column while others show nothing, despite the fact that they have a payload?
This PCAP file was captured from Thunderbird(POP). I want to include only TLS payload which I can use 'tls.app_data' filter command. However, I noticed that normally, TLS packets with a payload will show 'Application Data' in the 'Info' column, but as you can see, some just show blank, despite having a payload. What do they mean?
Thank you
Can you provide a larger screen shot (that includes the display filter) or capture file?
What version of Wireshark? (add output of
wireshark -vorHelp->About Wiresharkto question)Thanks for your reply @Chuckc. Please follow this link for a larger photo https://ibb.co/5RzYvR5. This is my filter 'tls and !tls.handshake and !_ws.expert' We can see the packets belong to the TLS protocol and all have a payload. Why all of their payloads is not TLS payloads whereas the protocol is TLSv1.2?
PS. My Wireshark version is 3.2.1.