On Tue, Apr 10, 2007 at 11:07:29AM -0400, Small, James wrote: > Hello, > > When using Wireshark 0.99.5 on Windows, sometimes I see: > [Malformed Packet: SSL] > > e.g.: > No. Time Source Destination Protocol Src > Port Dst Port Delta Info > 381 15.301101 172.24.101.100 172.24.100.107 TLSv1 443 > 1136 0.017923 Application Data, [Malformed Packet] > Frame 381 (1314 bytes on wire, 1314 bytes captured) > Arrival Time: Apr 10, 2007 10:20:40.195898000 > [Time delta from previous packet: 0.017923000 seconds] > [Time since reference or first frame: 15.301101000 seconds] > Frame Number: 381 > Packet Length: 1314 bytes > Capture Length: 1314 bytes > [Frame is marked: True] > [Protocols in frame: eth:ip:tcp:http:ssl] > [Coloring Rule Name: HTTP] > [Coloring Rule String: http || tcp.port == 80] > Ethernet II, Src: StBernar_00:8c:e5 (00:07:e8:00:8c:e5), Dst: Dell_00:be:6b > (00:12:3f:00:be:6b) > Internet Protocol, Src: 172.24.101.100 (172.24.101.100), Dst: 172.24.100.107 > (172.24.100.107) > Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 1136 (1136), > Seq: 9184, Ack: 1341, Len: 1260 > Hypertext Transfer Protocol > Secure Socket Layer > TLSv1 Record Layer: Application Data Protocol: http > Content Type: Application Data (23) > Version: TLS 1.0 (0x0301) > Length: 1048 > Encrypted Application Data: > 986EF11CE4141826D529372C664768C27C0E749FFC4BB768... > [Malformed Packet: SSL] > > Is the packet really malformed, or is it possible that Wireshark > doesn't support the cipher being used? If so, is there any way to > tell if the packet is really malformed versus Wireshark just not > understanding it/the encryption scheme?
Hmmm... it does not look like an unsupported cipher, because then the whole session should be malformed. And next to that, Wireshark gives a message about unsupported ciphers... If you look at the frame info, it shows protocols in frame: [Protocols in frame: eth:ip:tcp:http:ssl] From the uses tcp-port (3128) it shows that this is a proxied SSL session (many proxies use 3128 as proxy-port). I think somehow the SSL dissector has problems with SSL over a proxy. Could you file this as a bug on bugzilla with a sample trace (with the whole tcp-session if possible)? Cheers, Sake _______________________________________________ Wireshark-users mailing list [EMAIL PROTECTED] http://www.wireshark.org/mailman/listinfo/wireshark-users