Hi All,
Purely education for myself here. I've used Wireshark on and off and this one is a bit of a new scenario for me. I've been using Wireshark to troubleshoot some WebRTC usecases with a WebSocket Signalling Channel. Today I came across something I hadn't seen before and wondered if it is normal and if yes why.
I setup my SSL KeyLog file and configure Wireshark to point to it. Launched Chrome and voila, I can see my TLS traffic as I expect.
However, as I was doing my work, I noticed that some frames do not have the TLS decrypted data, which I largely understand we can't decrypt all flows. However, today i so happen to export my packets into a JSON and file and in the JSON file the decrypted TLS data exists!
This got me thinking, has this always been the case and I didn't know?
Screenshot from Wireshark UI:
Output from JSON:
{
"_index": "packets-2024-12-27",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.section_number": "1",
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "eno1"
},
"frame.encap_type": "1",
"frame.time": "Dec 27, 2024 11:11:16.589017784 EST",
"frame.time_utc": "Dec 27, 2024 16:11:16.589017784 UTC",
"frame.time_epoch": "1735315876.589017784",
"frame.offset_shift": "0.000000000",
"frame.time_delta": "0.001755706",
"frame.time_delta_displayed": "0.001755706",
"frame.time_relative": "385.975212198",
"frame.number": "3777",
"frame.len": "787",
"frame.cap_len": "787",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ip:tcp:tls:http:websocket:data-text-lines",
"frame.coloring_rule.name": "TCP",
"frame.coloring_rule.string": "tcp"
},
"eth": {
"eth.dst": "00:23:24:9d:49:1b",
"eth.dst_tree": {
"eth.dst_resolved": "GProComputer_9d:49:1b",
"eth.dst.oui": "8996",
"eth.dst.oui_resolved": "G-Pro Computer",
"eth.dst.lg": "0",
"eth.dst.ig": "0",
"eth.addr": "00:23:24:9d:49:1b",
"eth.addr_resolved": "GProComputer_9d:49:1b",
"eth.addr.oui": "8996",
"eth.addr.oui_resolved": "G-Pro Computer",
"eth.lg": "0",
"eth.ig": "0"
},
"eth.src": "64:97:14:01:32:92",
"eth.src_tree": {
"eth.src_resolved": "eero_01:32:92",
"eth.src.oui": "6592276",
"eth.src.oui_resolved": "eero inc.",
"eth.src.lg": "0",
"eth.src.ig": "0",
"eth.addr": "64:97:14:01:32:92",
"eth.addr_resolved": "eero_01:32:92",
"eth.addr.oui": "6592276",
"eth.addr.oui_resolved": "eero inc.",
"eth.lg": "0",
"eth.ig": "0"
},
"eth.type": "0x0800",
"eth.stream": "0"
},
"ip": {
"ip.version": "4",
"ip.hdr_len": "20",
"ip.dsfield": "0x00",
"ip.dsfield_tree": {
"ip.dsfield.dscp": "0",
"ip.dsfield.ecn": "0"
},
"ip.len": "773",
"ip.id": "0x92e0",
"ip.flags": "0x02",
"ip.flags_tree": {
"ip.flags.rb": "0",
"ip.flags.df": "1",
"ip.flags.mf": "0"
},
"ip.frag_offset": "0",
"ip.ttl": "244",
"ip.proto": "6",
"ip.checksum": "0x36c6",
"ip.checksum.status": "2",
"ip.src": "3.81.241.8",
"ip.addr": "3.81.241.8",
"ip.src_host": "3.81.241.8",
"ip.host": "3.81.241.8",
"ip.dst": "192.168.5.74",
"ip.addr": "192.168.5.74",
"ip.dst_host": "192.168.5.74",
"ip.host": "192.168.5.74",
"ip.geoip.src_summary": "Ashburn, US",
"ip.geoip.src_summary_tree": {
"ip.geoip.src_city": "Ashburn",
"ip.geoip.city": "Ashburn",
"ip.geoip.src_country": "United States",
"ip.geoip.country": "United States",
"ip.geoip.src_country_iso": "US",
"ip.geoip.country_iso": "US",
"ip.geoip.src_lat": "39.0481",
"ip.geoip.lat": "39.0481",
"ip.geoip.src_lon": "-77.4728",
"ip.geoip.lon": "-77.4728"
},
"ip.stream": "12"
},
"tcp": {
"tcp.srcport": "443",
"tcp.dstport": "40214",
"tcp.port": "443",
"tcp.port": "40214",
"tcp.stream": "9",
"tcp.completeness": "15",
"tcp.completeness_tree": {
"tcp.completeness.rst": "0",
"tcp.completeness.fin": "0",
"tcp.completeness.data": "1",
"tcp.completeness.ack": "1",
"tcp.completeness.syn-ack": "1",
"tcp.completeness.syn": "1",
"tcp.completeness.str": "··DASS"
},
"tcp.len": "721",
"tcp.seq": "8078",
"tcp.seq_raw": "990666881",
"tcp.nxtseq": "8799",
"tcp.ack": "6884",
"tcp.ack_raw": "672445258",
"tcp.hdr_len": "32",
"tcp.flags": "0x0018",
"tcp.flags_tree": {
"tcp.flags.res": "0",
"tcp.flags.ae": "0",
"tcp.flags.cwr": "0",
"tcp.flags.ece": "0",
"tcp.flags.urg": "0",
"tcp.flags.ack": "1",
"tcp.flags.push": "1",
"tcp.flags.reset": "0",
"tcp.flags.syn": "0",
"tcp.flags.fin": "0",
"tcp.flags.str": "·······AP···"
},
"tcp.window_size_value": "258",
"tcp.window_size": "66048",
"tcp.window_size_scalefactor": "256",
"tcp.checksum": "0x74ec",
"tcp.checksum.status": "2",
"tcp.urgent_pointer": "0",
"tcp.options": "01:01:08:0a:d2:69:de:40:e8:6f:23:70",
"tcp.options_tree": {
"tcp.options.nop": "01",
"tcp.options.nop_tree": {
"tcp.option_kind": "1"
},
"tcp.options.nop": "01",
"tcp.options.nop_tree": {
"tcp.option_kind": "1"
},
"tcp.options.timestamp": "08:0a:d2:69:de:40:e8:6f:23:70",
"tcp.options.timestamp_tree": {
"tcp.option_kind": "8",
"tcp.option_len": "10",
"tcp.options.timestamp.tsval": "3530153536",
"tcp.options.timestamp.tsecr": "3899597680"
}
},
"Timestamps": {
"tcp.time_relative": "339.156064173",
"tcp.time_delta": "0.092480864"
},
"tcp.analysis": {
"tcp.analysis.initial_rtt": "0.025061152",
"tcp.analysis.bytes_in_flight": "721",
"tcp.analysis.push_bytes_sent": "721"
},
"tcp.payload": "17:03:03:02:cc:f8:bb:9f:06:3e:f3:74:54:bb:71:38:01:4f:ab:87:3d:6f:6a:83:1c:cb:fd:bf:f5:2a:dc:48:bc:48:a3:f5:f8:f2:68:d9:d1:5d:a9:0e:76:b9:a8:c9:b6:41:73:3f:ae:c0:43:ed:26:e1:64:1d:58:ca:8f:82:c0:80:c6:12:76:65:31:53:62:75:4a:91:29:9f:a1:52:4d:b5:b1:35:8f:aa:17:04:95:15:9c:c5:a3:df:5d:88:d5:72:75:a7:db:fb:ec:fa:b7:7e:8c:81:f3:43:cb:f3:7e:45:10:89:ec:cd:8e:8e:f2:3f:75:fb:f0:97:14:11:08:6b:e8:96:a0:ce:79:29:49:09:af:09:01:81:48:02:01:50:e7:59:d2:39:45:18:7d:cd:81:e9:ba:b7:c7:a9:1f:e5:5e:9c:f3:b0:a6:af:09:07:33:b8:da:57:ef:b0:19:e1:e6:85:0a:62:3f:62:55:b8:e1:ac:0f:f6:ea:9e:d6:9c:d7:26:33:0b:49:9f:27:30:80:74:b9:f8:d6:72:59:c6:9b:73:60:e6:f1:db:89:fd:d7:65:9f:17:67:46:e7:25:2d:64:4f:54:c9:fb:3d:a0:a1:90:5c:da:f5:3f:1b:2c:a0:00:9d:36:6d:e8:ce:b5:06:08:46:e9:ec:c6:9d:dd:18:4f:82:32:4f:6a:d0:f5:f8:a4:ba:2c:1b:7a:14:f5:40:73:8a:a1:ac:b0:24:55:bf:e1:48:05:f9:64:6f:a0:f8:a1:4c:b1:7f:cb:ae:fb:60:6c:52:26:34:6d:37:28:29:47:b1:e7:bf:34:69:57:10:ad:c8:1f:b2:b7:2f:ad:44:71:d2:40:83:bb:a5:14:e8:66:2e:bf:ae:0a:13:53:be:95:15:0d:97:c1:e3:5c:f4:17:cf:c5:34:02:9a:54:69:be:3a:a0:a0:07:aa:b8:8a:54:e1:85:f9:7b:c5:8c:14:4e:6c:32:14:cf:45:b0:f1:40:b3:23:53:07:37:dc:2e:ac:7a:a0:d4:95:d7:10:36:72:48:61:b9:90:8a:dc:0d:1e:05:1d:d6:db:8b:2c:1f:c7:98:c3:01:7b:8f:24:ee:67:7b:99:bf:15:46:41:57:32:01:a5:c3:1d:54:ea:16:70:80:72:97:6e:66:a5:19:d0:50:3a:9a:20:55:bb:b6:28:c9:d0:e0:a0:49:69:02:89:18:f8:80:8d:07:9f:3e:a6:64:64:57:7b:a0:45:2f:10:c6:ec:88:ca:20:c7:2e:13:09:b7:4c:43:e5:e2:07:1b:2d:65:ff:36:88:2f:25:4e:9c:bc:a6:04:85:a8:ba:c4:16:03:e8:7e:7b:c6:61:aa:94:22:5d:3a:7d:36:7c:72:12:cd:c4:ca:44:7a:9a:e3:f0:90:e0:f3:74:69:5c:87:eb:da:33:3a:3d:04:c9:ff:e2:ee:ae:3c:62:dc:cb:1f:e4:3c:a2:9b:2a:53:a2:84:a3:0e:98:e3:ab:04:a7:1b:81:59:c6:f2:45:75:fb:42:d7:e1:65:55:e9:66:17:61:6f:d2:83:f3:1e:ea:93:6a:bc:e7:af:8c:83:2b:9f:3b:02:bc:8f:6b:25:10:55:c8:0d:33:89:45:38:ce:ec:16:23:0a:9a:ac:5f:16:19:8e:c6:2f:b3:53:e6:04:36:be:38:62:5f:a6:66:fe:2c:b0:e9:3a:42:96:c0:6e:35:71:a3:2b:58:4f:52:1d:31:f9:fd:f0:46:d4:86:ae:e5:b7:7d:76:68:5c:a2:9d:75:f4:f9:23:4a:74:4a:b5:b4:0a:2f:fe:b5:b0:76:2a:6c:3b:fc:87:60:61:3e:4f:2d:82:78:82:0a:81:4e:d0:9f:2e:9d:2e:8f:89:f8:6f:24:6f:e2:fd:6c:97:a6",
"tcp.pdu.size": "699"
},
"tls": {
"tls.record": {
"tls.record.opaque_type": "23",
"tls.record.version": "0x0303",
"tls.record.length": "716",
"tls.record.content_type": "23",
"tls.app_data": "f8:bb:9f:06:3e:f3:74:54:bb:71:38:01:4f:ab:87:3d:6f:6a:83:1c:cb:fd:bf:f5:2a:dc:48:bc:48:a3:f5:f8:f2:68:d9:d1:5d:a9:0e:76:b9:a8:c9:b6:41:73:3f:ae:c0:43:ed:26:e1:64:1d:58:ca:8f:82:c0:80:c6:12:76:65:31:53:62:75:4a:91:29:9f:a1:52:4d:b5:b1:35:8f:aa:17:04:95:15:9c:c5:a3:df:5d:88:d5:72:75:a7:db:fb:ec:fa:b7:7e:8c:81:f3:43:cb:f3:7e:45:10:89:ec:cd:8e:8e:f2:3f:75:fb:f0:97:14:11:08:6b:e8:96:a0:ce:79:29:49:09:af:09:01:81:48:02:01:50:e7:59:d2:39:45:18:7d:cd:81:e9:ba:b7:c7:a9:1f:e5:5e:9c:f3:b0:a6:af:09:07:33:b8:da:57:ef:b0:19:e1:e6:85:0a:62:3f:62:55:b8:e1:ac:0f:f6:ea:9e:d6:9c:d7:26:33:0b:49:9f:27:30:80:74:b9:f8:d6:72:59:c6:9b:73:60:e6:f1:db:89:fd:d7:65:9f:17:67:46:e7:25:2d:64:4f:54:c9:fb:3d:a0:a1:90:5c:da:f5:3f:1b:2c:a0:00:9d:36:6d:e8:ce:b5:06:08:46:e9:ec:c6:9d:dd:18:4f:82:32:4f:6a:d0:f5:f8:a4:ba:2c:1b:7a:14:f5:40:73:8a:a1:ac:b0:24:55:bf:e1:48:05:f9:64:6f:a0:f8:a1:4c:b1:7f:cb:ae:fb:60:6c:52:26:34:6d:37:28:29:47:b1:e7:bf:34:69:57:10:ad:c8:1f:b2:b7:2f:ad:44:71:d2:40:83:bb:a5:14:e8:66:2e:bf:ae:0a:13:53:be:95:15:0d:97:c1:e3:5c:f4:17:cf:c5:34:02:9a:54:69:be:3a:a0:a0:07:aa:b8:8a:54:e1:85:f9:7b:c5:8c:14:4e:6c:32:14:cf:45:b0:f1:40:b3:23:53:07:37:dc:2e:ac:7a:a0:d4:95:d7:10:36:72:48:61:b9:90:8a:dc:0d:1e:05:1d:d6:db:8b:2c:1f:c7:98:c3:01:7b:8f:24:ee:67:7b:99:bf:15:46:41:57:32:01:a5:c3:1d:54:ea:16:70:80:72:97:6e:66:a5:19:d0:50:3a:9a:20:55:bb:b6:28:c9:d0:e0:a0:49:69:02:89:18:f8:80:8d:07:9f:3e:a6:64:64:57:7b:a0:45:2f:10:c6:ec:88:ca:20:c7:2e:13:09:b7:4c:43:e5:e2:07:1b:2d:65:ff:36:88:2f:25:4e:9c:bc:a6:04:85:a8:ba:c4:16:03:e8:7e:7b:c6:61:aa:94:22:5d:3a:7d:36:7c:72:12:cd:c4:ca:44:7a:9a:e3:f0:90:e0:f3:74:69:5c:87:eb:da:33:3a:3d:04:c9:ff:e2:ee:ae:3c:62:dc:cb:1f:e4:3c:a2:9b:2a:53:a2:84:a3:0e:98:e3:ab:04:a7:1b:81:59:c6:f2:45:75:fb:42:d7:e1:65:55:e9:66:17:61:6f:d2:83:f3:1e:ea:93:6a:bc:e7:af:8c:83:2b:9f:3b:02:bc:8f:6b:25:10:55:c8:0d:33:89:45:38:ce:ec:16:23:0a:9a:ac:5f:16:19:8e:c6:2f:b3:53:e6:04:36:be:38:62:5f:a6:66:fe:2c:b0:e9:3a:42:96:c0:6e:35:71:a3:2b:58:4f:52:1d:31:f9:fd:f0:46:d4:86:ae:e5:b7:7d:76:68:5c:a2:9d:75:f4:f9:23:4a:74:4a:b5:b4:0a:2f:fe:b5:b0:76:2a:6c:3b:fc:87:60:61:3e:4f:2d:82:78:82:0a:81:4e:d0:9f:2e:9d:2e:8f:89:f8:6f:24:6f:e2:fd:6c:97:a6",
"tls.app_data_proto": "Hypertext Transfer Protocol"
}
},
"websocket": {
"websocket.fin": "1",
"websocket.rsv": "0x04",
"websocket.pmc": "1",
"websocket.opcode": "1",
"websocket.mask": "0",
"websocket.payload_length": "126",
"websocket.payload_length_ext_16": "695",
"websocket.payload": {
"websocket.payload.text": "{\"content\":\"{\\\"connectionId\\\":\\\"7adacc02-0303-4f40-bda3-57508d4bab21\\\",\\\"jsonRpcMsg\\\":{\\\"id\\\":\\\"637b3a4f-804b-4c7e-aaaf-0d70e15d475f\\\",\\\"jsonrpc\\\":\\\"2.0\\\",\\\"result\\\":{\\\"candidates\\\":[{\\\"sdpMLineIndex\\\":0,\\\"sdpMid\\\":\\\"\\\",\\\"candidate\\\":\\\"candidate:3881327147 1 udp 659136 10.1.2.125 31118 typ host generation 0\\\"}],\\\"mediaLegId\\\":\\\"7adacc02-0303-4f40-bda3-57508d4bab21\\\",\\\"sdp\\\":\\\"v=0\\\\no=AmazonConnect 1735284758 1735284759 IN IP4 10.1.2.125\\\\ns=AmazonConnect\\\\nc=IN IP4 10.1.2.125\\\\nt=0 0\\\\na=msid-semantic: WMS b4sFgrxpiZgTZzXeVcexMxhxkuPhW5qY\\\\nm=audio 31118 UDP/TLS/RTP/SAVPF 111 110\\\\na=rtpmap:111 opus/48000/2\\\\na=fmtp:111 useinbandfec=1; minptime=20\\\\na=rtpmap:110 telephone-event/48000\\\\na=silenceSupp:off - - - -\\\\na=ptime:20\\\\na=sendrecv\\\\na=fingerprint:sha-256 6D:7A:05:C7:AC:01:D0:E8:97:DA:07:9C:F1:25:A9:8D:4A:C8:07:91:4A:B2:1A:A1:B0:9B:77:BE:3B:96:63:EB\\\\na=setup:active\\\\na=rtcp-mux\\\\na=rtcp:31118 IN IP4 10.1.2.125\\\\na=ice-ufrag:IG1l38IesnmfjC3a\\\\na=ice-pwd:bn614i0BBIYkeqOMWFXQDwVV\\\\na=end-of-candidates\\\\na=ssrc:1534371060 cname:0Jt60Rm8HsSwSFBD\\\\na=ssrc:1534371060 msid:b4sFgrxpiZgTZzXeVcexMxhxkuPhW5qY a0\\\\na=ssrc:1534371060 mslabel:b4sFgrxpiZgTZzXeVcexMxhxkuPhW5qY\\\\na=ssrc:1534371060 label:b4sFgrxpiZgTZzXeVcexMxhxkuPhW5qYa0\\\\n\\\"}}}\",\"contentType\":\"application/json\",\"topic\":\"aws/softphone\"}"
}
},
"data-text-lines": {
" […]{\"content\":\"{\\\"connectionId\\\":\\\"7adacc02-0303-4f40-bda3-57508d4bab21\\\",\\\"jsonRpcMsg\\\":{\\\"id\\\":\\\"637b3a4f-804b-4c7e-aaaf-0d70e15d475f\\\",\\\"jsonrpc\\\":\\\"2.0\\\",\\\"result\\\":{\\\"candidates\\\":[{\\\"sdpMLineIndex\\\":0,\\\"sdpMid\\\":\\\"\\\",\\\"candidate\\\"": ""
}
}
}
}