https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5137
Summary: SSL record reassembly issue
Product: Wireshark
Version: 1.2.1
Platform: x86-64
OS/Version: SuSE
Status: NEW
Severity: Major
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: dpantke@xxxxxxxxxxx
Build Information:
wireshark 1.2.1
Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.18.6, with GLib 2.22.4, with libpcap 1.0.0, with libz
1.2.3, with POSIX capabilities (Linux), with libpcre 7.9, with SMI 0.4.5, with
c-ares 1.6.0, with Lua 5.1, with GnuTLS 2.4.1, with Gcrypt 1.4.4, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Oct 24 2009), without
AirPcap.
Running on Linux 2.6.31.12-0.2-desktop, with libpcap version 1.0.0, GnuTLS
2.4.1, Gcrypt 1.4.4.
Built using gcc 4.4.1 [gcc-4_4-branch revision 150839].
--
It appears that SSL record decoding is encountering a problem where the SSL
record header spans TCP segments. In this instance, Wireshark never picks up
the record, and so that, and all subsequent SSL records in the TCP stream, are
listed as a "malformed packet".
Attached is the capture showing the issue. The frame of note is 30722. In this
frame, the SSL decoder has reassembled all of the TCP segments for this record,
but if you examine the end of the record data, you'll see the start of a new
record. However, the last byte of the length header is in frame 30749. Frame
30750 then shows as Malformed Packet, and all further SSL record in the stream
are listed as Malformed.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.