Wireshark-bugs: [Wireshark-bugs] [Bug 9875] New: SSL Hello Client
Date: Wed, 12 Mar 2014 12:26:59 +0000
| Bug ID | 9875 |
|---|---|
| Summary | SSL Hello Client |
| Classification | Unclassified |
| Product | Wireshark |
| Version | 1.10.5 |
| Hardware | x86 |
| OS | Windows 7 |
| Status | UNCONFIRMED |
| Severity | Major |
| Priority | Low |
| Component | Dissection engine (libwireshark) |
| Assignee | [email protected] |
| Reporter | [email protected] |
Created attachment 12627 [details] This shows the expanded packets with data using SSL. Build Information: Version 1.10.5 (SVNRev 54262 from /trunk-1.10) -- I have been trying troubleshoot a problem involving FTPS (SSL/TLS). The file transfer was taking extraordinary long time to complete. I had been taking sniffer traces from IBM z/OS 1.13 using NBA Pilot. This invoke Wireshark. I then create PCAP to feed into Inside the Stack, where I can generate reports. One of them is SSL Problem Finder. It indicated that there were 5 Hello Clients. The IBM z/OS 1.13 is acting as client using job. It is trying to do FTPS with server that is written by business partner using Linux platform. I expect to see 2. The 1st is part of initial connection to Control Port. The 2nd is the result of doing Passive and connecting to the Data Port at server. Why would I then see 3 additional Hello Client while the data transfer is going on? I looked at sniffer trace in question. I opened with Wireshark and went to those packets. I saw that they were then being reported as Hello Client. I opened ticket with IBM about this. The following is their response: Sorry, please ignore the previous update. I was composing it then accidentally hit the Enter button. What I meant to say was that frame numbers 50029, 51355, and 63129 in the large sniffer trace (session between port 5565 and 3088) are all encrypted data packets (not hellos) because they carry these sequence of bytes: 1703010015. If this was a hello packet, it would start with this sequence of bytes: 160301xxxx01. To illustrate, here's what you see in frame number 50029: 0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E. 0010 05 8c 65 7c 40 00 30 06 22 92 cc 5a e6 04 0a be ..e|@.0."..Z.... 0020 00 41 0c 10 15 bd 93 a5 db 29 ec f4 99 64 80 10 .A.......)...d.. 0030 06 b4 4d 4a 00 00 01 01 08 0a cd db 82 c0 a4 f7 ..MJ............ 0040 a3 d7 0a 25 e2 68 70 53 af 7e 0e 70 7e 8d 92 23 ...%.hpS.~.p~..# 0050 cb 3b a0 65 17 03 01 00 15 77 67 e4 f6 e1 59 ab .;.e.....wg...Y. 0060 84 36 b9 54 1c eb bc d6 36 a9 be 3d 86 7f 17 03 .6.T....6..=.... 0070 01 00 15 1f 0d 90 95 37 7d 56 48 a7 a4 9d 9a 49 .......7}VH....I 0080 f1 70 49 cb 4d 71 15 6f 17 03 01 00 15 a0 ee e6 .pI.Mq.o........ 0090 2b 80 39 6c ac 76 85 16 dd 52 9c da e5 76 47 51 +.9l.v...R...vGQ 00a0 ef 78 17 03 01 00 15 23 26 3d b1 a9 2d ab 7c ac .x.....#&=..-.|. 00b0 6c ab ea b1 ad f9 2e 40 a5 aa 3b 6c 17 03 01 00 l......@..;l.... 00c0 15 f8 99 3c 24 4b b1 46 55 a5 80 0f 9d e7 0c 41 ...<$K.FU......A 00d0 cf 25 6c 72 ae 82 17 03 01 00 15 c5 ac f2 0c 36 .%lr...........6 00e0 20 0e 4f 63 77 74 b2 ff 77 c6 4c 21 b3 9e 94 74 .Ocwt..w.L!...t 00f0 17 03 01 00 15 83 d3 6a 4f dd 4c c3 94 64 22 71 .......jO.L..d"q 0100 04 ba 49 08 16 cb ec 3c 8f 70 17 03 01 00 15 ad ..I....<.p...... 0110 4f ac 89 5e d2 89 66 83 22 5b 88 51 36 99 d6 82 O..^..f."[.Q6... 0120 a0 c2 30 2c 17 03 01 00 15 94 80 e5 9d a0 a7 ee ..0,............ 0130 ae 2f d5 2e 43 5d 6d 31 c9 97 68 52 28 e2 17 03 ./..C]m1..hR(... 0140 01 00 15 bc 00 37 31 bc cf 03 23 63 de 42 56 fa .....71...#c.BV. 0150 a8 06 14 64 ef 10 0f 24 17 03 01 00 15 96 b9 d8 ...d...$........ 0160 ae ba 4a f3 ad 45 76 f4 9d af cd 80 41 80 78 fa ..J..Ev.....A.x. 0170 85 1a 17 03 01 00 15 e0 e4 3b ea 56 d8 bd 35 88 .........;.V..5. 0180 54 67 83 a9 ac 28 c3 0a 9e 6e e8 79 17 03 01 00 Tg...(...n.y.... 0190 15 1a f4 dc 98 83 ee c2 5d cb b6 7f 29 f3 02 45 ........]...)..E 01a0 7b 29 cc 41 2a 3f 17 03 01 00 15 0c ce 5d 84 8f {).A*?.......].. 01b0 48 7a 53 55 3c 32 a9 81 47 6e ab 22 fe fc 13 87 HzSU<2..Gn.".... 01c0 17 03 01 00 15 fc ae d0 5f 9f cb 28 9d 58 1b 04 ........_..(.X.. 01d0 4d 22 6a 8c a8 7b 57 8f e0 9d 17 03 01 00 15 10 M"j..{W......... 01e0 29 ea 97 5f f6 93 f8 06 8a 74 30 fe f8 62 b9 3d ).._.....t0..b.= 01f0 38 4a 3b 2a 17 03 01 00 15 16 c1 4f 84 73 51 c8 8J;*.......O.sQ. 0200 f8 95 b4 24 ac 9b 43 f5 cb 56 1c f7 91 67 17 03 ...$..C..V...g.. You should see sequence 1703010015 several times from the excerpt above, which indicates that they're all SSL data messages, not hellos. Unfortunately the sniffer trace is quite large. This is because the file to be transferred was 1.83 million bytes but over 47 million bytes got transferred. The total number of packets was almost 70k. I am attaching print of the 3 packets in question.
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 9875] SSL Hello Client
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9875] SSL Hello Client
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9875] SSL Hello Client
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9875] SSL Hello Client
- Prev by Date: [Wireshark-bugs] [Bug 9837] Capture file for Open Sound Control dissector
- Next by Date: [Wireshark-bugs] [Bug 8907] Wireshark capture options window is cut off on low resolution screen
- Previous by thread: [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- Next by thread: [Wireshark-bugs] [Bug 9875] SSL Hello Client
- Index(es):