packet trace has TLS handshake but not recognized by wireshark
I am working in IBM z/os platform.
The trace is generat3d by NETVIEW and then converted to wireshark compatible.
When in wireshark I tried to decode as TLS. Only see SSl in protocol.
The following is frame
54435032000200100000006b00000000b80000001603030066010000620303646393c303c4202f39bd33431c2adf87446fcb65f6c5d65129486d4e372f6b9100000a00ff003d0035003c002f0100002f002b00070603030302030100170000000d001c001a0601060305010503040104030402030103030302020102030202
Can you put the PCAP file up for grabs? At this point it is just a bunch of hex code which will propably be ignored.
Also bear in mind that TLS may look like SSL untill you expand the view and see the TLS version inside. And that is something Wireshark should be able to show you straight away.
How do you put up for grabs?
I always thought you should use CTRACE on z/OS for network captures. This page does notmention NETVIEW as a option: https://www.ibm.com/support/pages/how...
Could you try CTRACE instead?
The first 20 bytes of this hexdump looks like a proprietary header. With the first 4 representing "TCP2" in ASCII. So replacing all protocols up to TCP level.
But if you remove the first 20 bytes (40 hex digits), put a space between every second hex digit and import it as a hexdump into Wireshark as a TCP stream, then it does show it as a "TLSv1.2 Client Hello".
CTRACE isn't too good to do diagnostics. It is very inconvenient to use. It has the ability to do convert to wireshark readble.
Netwiew uses CT underneath the cover. It creates a file that is fed into job that does the conversion.
The problem is that within Wireshark the TLS handshake isn't seen. I had to find the frame that had the handshake. That is what I had in the question.
If Wireshark doesn't recognize the protocol, the dissection stops there. So any protocol(s) running on top of that, like TLS, can't be dissected either. That seems to be the case here.
As Hugo mentioned earlier, please upload your pcap to a public place and share a link here so we can take a look instead of guessing what the pcap contains.
BTW: I ment to use CTRACE as capturing tool only, not for analysis (or diagnostics). For that we have Wireshark.