Ask Your Question

Revision history [back]

Wireshark showing some TLS traffic as TCP and some as TLSv1.2


I am running a CURL request against an F5 VIP, which gets an XML response from a backend server:

i.e. curl -X POST -d @read_req-2 https://x.x.x.x:8443/axis/services/MessageService --insecure -H "SOAPACTION: yes" -vvv

The curl request gets a valid response and if I take a tcpdump of the traffic I can see TLSv1.2 packets and can decrypt the TLS1.2 exchange fine with the private key from the F5.

However, if I change the VIP to listen on port 8444 (or 8445 etc) and run the following CURL request:

curl -X POST -d @read_req-2 https://x.x.x.x:8444/axis/services/MessageService --insecure -H "SOAPACTION: yes" -vvv

The the curl request gets a valid response again (it all works) but the tcpdump I am taking just shows TCP packets (no TLS, Client Hello etc) and I am unable to decrypt any packets.

I have added the port 8444 to the Wireshark HTTP protocol along with 443 (8443 is not there?) but this does not help.

SSLDUMP on the cli of the F5 is also able to decrypt traffic fine with the private key, for all ports (including 8444 and 8445).

TCP dissectors in Wireshark are all set to re-assemble packets etc -what am I missing to be able to see/decrypt this traffic in Wireshark?

I am running Wireshark Version 3.2.1 (v3.2.1-0-gbf38a67724d0).

Many thanks.