I tested a pcap in wireshark for specific IP and all the packets I saw was either TCP or VPN I also wrote a script to decode packets and for specific packet(by timestamp) there is a discrepancy where on wireshark it shows layers up to TCP while my script could extract server hello and handshake data
Any Idea why could this happen?
Any Idea why could this happen?
Your traffic is to a port that Wireshark doesn't know is carrying TLS (I'm assuming TLS is involved from "my script could extract server hello and handshake data"), but your script does know that?
This might be the case, port is 1194 My script attempts to TLS if it exists in a TCP packet regardless of the port based on some header fields check Anyway wireshark could decode TLS for other ports such as 2222 and 2078, so wonder why not 1194 too?
Wireshark does attempt to heuristically detect TLS on other ports and it generally works. Without more information it's impossible to say why it wasn't detected in your case.
I can share the pcap and details if you are interested to look into it
Asked: 2024-06-22 18:13:10 +0000
Seen: 104 times
Last updated: Jun 22
