Ask Your Question

pcap analysis

asked 2024-06-22 18:13:10 +0000

I tested a pcap in wireshark for specific IP and all the packets I saw was either TCP or VPN I also wrote a script to decode packets and for specific packet(by timestamp) there is a discrepancy where on wireshark it shows layers up to TCP while my script could extract server hello and handshake data

Any Idea why could this happen?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2024-06-22 21:30:56 +0000

Guy Harris gravatar image

Any Idea why could this happen?

Your traffic is to a port that Wireshark doesn't know is carrying TLS (I'm assuming TLS is involved from "my script could extract server hello and handshake data"), but your script does know that?

edit flag offensive delete link more


This might be the case, port is 1194 My script attempts to TLS if it exists in a TCP packet regardless of the port based on some header fields check Anyway wireshark could decode TLS for other ports such as 2222 and 2078, so wonder why not 1194 too?

ammartosson gravatar imageammartosson ( 2024-06-22 22:12:47 +0000 )edit

Wireshark does attempt to heuristically detect TLS on other ports and it generally works. Without more information it's impossible to say why it wasn't detected in your case.

johnthacker gravatar imagejohnthacker ( 2024-06-23 01:12:07 +0000 )edit

I can share the pcap and details if you are interested to look into it

ammartosson gravatar imageammartosson ( 2024-06-23 01:15:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-06-22 18:13:10 +0000

Seen: 60 times

Last updated: Jun 22