packet trace has TLS handshake but not recognized by wireshark

asked 2023-05-16 16:41:17 +0000

commserver gravatar image

I am working in IBM z/os platform.

The trace is generat3d by NETVIEW and then converted to wireshark compatible.

When in wireshark I tried to decode as TLS. Only see SSl in protocol.

The following is frame


edit retag flag offensive close merge delete


Can you put the PCAP file up for grabs? At this point it is just a bunch of hex code which will propably be ignored.

Also bear in mind that TLS may look like SSL untill you expand the view and see the TLS version inside. And that is something Wireshark should be able to show you straight away.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2023-05-17 05:38:48 +0000 )edit

How do you put up for grabs?

commserver gravatar imagecommserver ( 2023-05-17 13:43:01 +0000 )edit

I always thought you should use CTRACE on z/OS for network captures. This page does notmention NETVIEW as a option:
Could you try CTRACE instead?

The first 20 bytes of this hexdump looks like a proprietary header. With the first 4 representing "TCP2" in ASCII. So replacing all protocols up to TCP level.
But if you remove the first 20 bytes (40 hex digits), put a space between every second hex digit and import it as a hexdump into Wireshark as a TCP stream, then it does show it as a "TLSv1.2 Client Hello".

André gravatar imageAndré ( 2023-05-18 13:14:42 +0000 )edit

CTRACE isn't too good to do diagnostics. It is very inconvenient to use. It has the ability to do convert to wireshark readble.

Netwiew uses CT underneath the cover. It creates a file that is fed into job that does the conversion.

The problem is that within Wireshark the TLS handshake isn't seen. I had to find the frame that had the handshake. That is what I had in the question.

commserver gravatar imagecommserver ( 2023-05-18 20:59:20 +0000 )edit

If Wireshark doesn't recognize the protocol, the dissection stops there. So any protocol(s) running on top of that, like TLS, can't be dissected either. That seems to be the case here.

As Hugo mentioned earlier, please upload your pcap to a public place and share a link here so we can take a look instead of guessing what the pcap contains.

BTW: I ment to use CTRACE as capturing tool only, not for analysis (or diagnostics). For that we have Wireshark.

André gravatar imageAndré ( 2023-05-19 13:54:42 +0000 )edit