OSQA is unmaintained. Help us figure out where to go from here.

Hi all,

What would be the possible reasons for wireshark not showing a decrypted WCF response? I have successfully decrypted the request information from a WCF service for dummies, but can't get the response to be decrypted.

This are the frames of interest:

74 -60.405045 HTTP/XML 288 POST /Service1.svc HTTP/1.1 75 -60.404223 TLSv1 576 [SSL segment of a reassembled PDU], Application Data

Looking at the request frame detail, this is what I get (which is ok):

POST /Service1.svc HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/IService1/GetData" Host: myazurecloudservice2.cloudapp.net Content-Length: 157 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive

<s:envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:body><getdata xmlns="http://tempuri.org/"><value>0</value></getdata></s:body></s:envelope>

But I still can't see the decrypted response. What am I missing?

Thanks in advance!

asked 24 Jul, 09:29

c4rlosmarin's gravatar image

accept rate: 0%

edited 25 Jul, 10:46

cmaynard's gravatar image

cmaynard ♦♦

Some checks you could perform to investigate why the decrypted data is not shown:

  1. Check the Decrypted SSL byte view tab (normally at the bottom of the screen) for the Content-Length header. From this you will learn how much data to expect. If it is a small value, it will probably fit in a few frames. If there is no Decrypted SSL (or Decrypted SSL data in Wireshark 2.2 and before), then it indicates that decryption failed for some reason.
  2. "SSL segment of a reassembled PDU" indicates that the response has not been fully received yet, it will be fully reassembled in a later packet. But when TCP segments appear out-of-order, then it will mess up the dissection and decryption state. If this happens, decryption will fail and the response will not be shown.
permanent link

answered 24 Jul, 20:45

Lekensteyn's gravatar image

accept rate: 30%

Hi Lekensteyn,

Decrypted SSL byte view tab is just showing "48 H":

alt text

Here is the information from the SSL debug file

By the way, that last one (frame 61) is the only frame the server sends for the wcf response, the client successfully gets the response but the trace from the server doesn't show it as a decrypted packet.


(25 Jul, 13:46) c4rlosmarin

I suppose the H is part of the headers, starting with HTTP/1.1 200 OK. Indeed, the decrypted data is shown on the first pass, but not in the second one. Can you file a bug report with the attached pcap?

(28 Jul, 07:21) Lekensteyn

Hi Lekensteyn,

I've submitted a bug with the required information: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13943


(03 Aug, 13:05) c4rlosmarin
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 24 Jul, 09:29

question was seen: 283 times

last updated: 03 Aug, 13:05

p​o​w​e​r​e​d by O​S​Q​A