I have been actively pursuing an issue that seems to have little documentation of reference material on, e.g. Google and TCP/SSL experts. I have been trying to identify why when using SSLv3 and TLSv1.0 that in the Wireshark captures I find excessive "Ignored Unknown Record" and [Unreassembled Packet] responses in the capture decodes. When using SSLv2 is see nothing to that effect and the full communications between the web client and web server are clean. Can anyone speak to the effect that this is either a true issue or a false positive by Wireshark when decoding the captures? I have heard the argument about the TOE (TCP Offloading) and the effects that can have. But if you have verified that TOE is turned off on both the Server and the Client and still find the problem, what next? Feed back on this would be greatly appreciated, technical reference material and whitepapers would be ever better. Thanks in advance. This question is marked "community wiki". asked 27 Oct '10, 06:51  ChipPowell |
2 Answers:
Wireshark is showing you traffic that is not reassembled. Let Wireshark do reassembly. Select Edit > Preferences > Protocols > TCP and check Allow Subdissector to Reassemble TCP Streams. Better? answered 27 Oct '10, 21:11  lchappell ♦ |
Same problem and went to Select Edit > Preferences > Protocols > TCP > Allow Subdissector to Reassemble TCP Streams....but found its already checked. Should I look at some alternate settings etc as well..? Thanks answered 24 Aug '11, 06:56  nine |
