Ask Your Question
0

TLS1.3 and ipv6, Wireshark does not catch "Server Hello" packets?

asked 2023-03-14 15:11:54 +0000

Noak gravatar image

Hello,

I wanted test by Wireshark my TLS configuration in RabbitMQ server and I have trouble. If my network adapter are set to ipv6 I don't see full comunication betwen client and serwer, is only Client Hello, but if I disable the ipv6 in network adapter I can see full comunication in Wireshark: Client Hello, Server Hello and Client Change Spec. I don't understand what is it caused by.

Captured packets when ipv6 is enabled

Protocol    Length  Info
TLSv1.2     335     Client Hello
TCP         74      5657 → 55748 [ACK] Seq=1 Ack=262 Win=2097664 Len=0  
TCP         74      [TCP ACKed unseen segment] 55748 → 5657 [ACK] Seq=262 Ack=3874 Win=263424 Len=0
TLSv1.2     154     Change Cipher Spec, Application Data
TLSv1.2     104     Application Data

Captured packets when ipv6 is disabled:

Protocol    Length  Info   
TLSv1.3     315     Client Hello    
TCP         54      5657 → 55849 [ACK] Seq=1 Ack=262 Win=2097664 Len=0    
TLSv1.3     3927    Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data     
TCP         60      55849 → 5657 [ACK] Seq=262 Ack=3874 Win=262656 Len=0  
TLSv1.3     134     Change Cipher Spec, Application Data TLSv1.3    84      Application Data

This output is expected or I do something wrong? My filter which I used is (tcp.srcport == 5657 or tcp.dstport == 5657) or ssl.handshake.type and (tcp.srcport == 5657 or tcp.dstport == 5657)

Regards, Noak

edit retag flag offensive close merge delete

Comments

I would suspect that something related to size of the frame and/or offloading is causing this behavior. Try capturing off-box, i.e. from a tap/mirror port on the actual network link to see what the frames look like as they traverse the network.

Bob Jones gravatar imageBob Jones ( 2023-03-16 11:33:32 +0000 )edit

Hello, thanks for your comment, it showed me how I can test it and I've taken a closer look at captured packets by Wireshark. After that I tried listening communication on client machine and Wireshark captured all communication. So I can confirm that my configuration works. Do you have any other ideas why Wireshark captures packets correctly on client side and captures it wrongly on server side when ipv6 is used?

Noak gravatar imageNoak ( 2023-03-17 10:32:15 +0000 )edit

The first place to look is TCP offloading in the adapter driver.

Bob Jones gravatar imageBob Jones ( 2023-03-17 22:02:34 +0000 )edit

Thank you so much, I disable TCP offloading in the adapter driver and it solved the issue. I now see all packets. Wireshark - Offloading

Noak gravatar imageNoak ( 2023-03-20 12:33:24 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-03-20 13:28:26 +0000

Bob Jones gravatar image

I would suspect that something related to size of the frame and/or offloading is causing this behavior. Try capturing off-box, i.e. from a tap/mirror port on the actual network link to see what the frames look like as they traverse the network.

Try disabling TCP offloading as well.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-03-14 15:11:54 +0000

Seen: 524 times

Last updated: Mar 20 '23

Related questions

When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

How do Wireshark resolve addresses

Fix IPv6 identification for pflogs

How to identify an IPV6 packet

Protocol Hierarchy to analyze

Suspicious Activity, TLS mismatch errors, Browser Set to Tls v1.3, seeing v1.0 on SSLLabs

My TLS client initiate an unexpected ClientHello to a domain

How to call dissector for IPv6 next header

Decrypt TLS 1.3 with Wireshark

TLS 1.3 Hello Retry Messages