Ask Your Question
0

Why do some TLS packets show 'Application Data' in the 'Info' column while others show nothing, despite the fact that they have a payload?

asked 2021-10-26 09:59:10 +0000

pairycoo gravatar image

updated 2021-10-26 10:19:58 +0000

grahamb gravatar image

This PCAP file was captured from Thunderbird(POP). I want to include only TLS payload which I can use 'tls.app_data' filter command. However, I noticed that normally, TLS packets with a payload will show 'Application Data' in the 'Info' column, but as you can see, some just show blank, despite having a payload. What do they mean?

Thank you

edit retag flag offensive close merge delete

Comments

Can you provide a larger screen shot (that includes the display filter) or capture file?
What version of Wireshark? (add output of wireshark -v or Help->About Wireshark to question)

Chuckc gravatar imageChuckc ( 2021-10-26 15:08:53 +0000 )edit

Thanks for your reply @Chuckc. Please follow this link for a larger photo https://ibb.co/5RzYvR5. This is my filter 'tls and !tls.handshake and !_ws.expert' We can see the packets belong to the TLS protocol and all have a payload. Why all of their payloads is not TLS payloads whereas the protocol is TLSv1.2?

PS. My Wireshark version is 3.2.1.

pairycoo gravatar imagepairycoo ( 2021-10-26 15:51:11 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-10-26 16:29:12 +0000

Chuckc gravatar image

In this case, TCP Payload != Application Data

packet-tls.c looks for records with Content Type: Application Data (23) to add the "Application Data" string to the Info column.
You could add a column for tls.record.content_type to see what type of TLS records are in the packets that are not Application Data.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-10-26 09:59:10 +0000

Seen: 6,686 times

Last updated: Oct 26 '21