Wireshark-bugs: [Wireshark-bugs] [Bug 11670] New: Protocol SSL isn't really SSL
Date: Mon, 02 Nov 2015 17:45:20 +0000
Bug ID | 11670 |
---|---|
Summary | Protocol SSL isn't really SSL |
Product | Wireshark |
Version | 1.12.5 |
Hardware | x86 |
OS | Windows 7 |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | Dissection engine (libwireshark) |
Assignee | [email protected] |
Reporter | [email protected] |
Build Information: Paste the COMPLETE build information from "Help->About Wireshark", "wireshark -v", or "tshark -v". -- I have doing an analysis of IBM z/OS environment. I notice something very strange. It seems that when I turn on decode to do SSL I get packets that are indicated to be SSL/TLS but aren't. I used NBA for Z/OS from Service Pilot to capture packets that I fed into Wireshark. The following shows a packet with SSL indicated: No. Time Source Destination Protocol Length Info 1010 2015-11-02 11:51:40.668670000 10.217.10.76 10.190.0.65 SSL 953 Continuation Data Frame 1010: 953 bytes on wire (7624 bits), 953 bytes captured (7624 bits) Encapsulation type: Ethernet (1) Arrival Time: Nov 2, 2015 11:51:40.668670000 Eastern Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1446483100.668670000 seconds [Time delta from previous captured frame: 0.000082000 seconds] [Time delta from previous displayed frame: 0.000082000 seconds] [Time since reference or first frame: 1.060650000 seconds] Frame Number: 1010 Frame Length: 953 bytes (7624 bits) Capture Length: 953 bytes (7624 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:ssl] Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Destination: 00:00:00_00:00:00 (00:00:00:00:00:00) Address: 00:00:00_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: 00:00:00_00:00:00 (00:00:00:00:00:00) Address: 00:00:00_00:00:00 (00:00:00:00:00:00) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.217.10.76 (10.217.10.76), Dst: 10.190.0.65 (10.190.0.65) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 939 Identification: 0x91ff (37375) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 61 Protocol: TCP (6) Header checksum: 0x882a [validation disabled] [Good: False] [Bad: False] Source: 10.217.10.76 (10.217.10.76) Destination: 10.190.0.65 (10.190.0.65) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 40193 (40193), Dst Port: 4043 (4043), Seq: 16291, Ack: 134021, Len: 887 Source Port: 40193 (40193) Destination Port: 4043 (4043) [Stream index: 3] [TCP Segment Len: 887] Sequence number: 16291 (relative sequence number) [Next sequence number: 17178 (relative sequence number)] Acknowledgment number: 134021 (relative ack number) Header Length: 32 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 647 [Calculated window size: 647] [Window size scaling factor: -1 (unknown)] Checksum: 0x48dc [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 10956476, TSecr 675439395 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 10956476 Timestamp echo reply: 675439395 [SEQ/ACK analysis] [Bytes in flight: 887] Secure Sockets Layer 0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E. 0010 03 ab 91 ff 40 00 3d 06 88 2a 0a d9 0a 4c 0a be ....@.=..*...L.. 0020 00 41 9d 01 0f cb f8 fe 07 99 14 fd fe 3f 80 18 .A...........?.. 0030 02 87 48 dc 00 00 01 01 08 0a 00 a7 2e bc 28 42 ..H...........(B 0040 63 23 00 00 03 77 45 42 43 46 00 00 20 00 01 00 c#...wEBCF.. ... 0050 00 01 31 35 4e 6f 76 20 32 2d 30 35 30 32 30 32 ..15Nov 2-050202 0060 2d 30 30 30 30 30 30 2d 30 31 31 54 57 53 80 01 -000000-011TWS.. 0070 09 24 00 00 02 7c 00 00 00 24 00 00 00 00 00 00 .$...|...$...... 0080 00 00 00 00 03 4b 03 00 00 00 00 00 00 00 00 00 .....K.......... 0090 00 00 42 58 53 31 50 32 34 30 20 20 20 20 20 20 ..BXS1P240 00a0 20 20 20 31 30 30 39 34 30 36 30 30 30 31 20 20 10094060001 00b0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00c0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00d0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00e0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00f0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0100 20 20 20 20 20 20 20 20 30 30 30 32 34 30 30 34 00024004 0110 30 31 20 20 20 20 20 20 20 20 31 34 30 33 30 30 01 140300 0120 30 33 38 30 31 20 20 20 20 20 20 20 20 20 20 20 03801 0130 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0140 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0150 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0160 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0170 20 20 31 32 20 20 20 20 20 20 20 20 20 20 20 20 12 0180 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0190 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01a0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01b0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01c0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01d0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01e0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01f0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0200 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0210 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0220 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0230 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0240 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0250 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0260 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0270 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0280 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0290 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02a0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02b0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02c0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02d0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 02e0 20 20 20 20 20 20 20 20 20 20 2c 42 49 44 3d 6d ,BID=m 02f0 76 73 70 2e 6e 79 63 6e 65 74 3a 34 30 34 33 2c vsp.nycnet:4043, 0300 46 3d 53 45 4e 44 2c 55 49 44 3d 55 73 65 72 42 F=SEND,UID=UserB 0310 49 53 2c 43 49 44 3d 4e 4f 4e 45 2c 53 43 3d 50 IS,CID=NONE,SC=P 0320 38 31 30 41 2c 53 4e 3d 42 49 53 50 50 48 32 2c 810A,SN=BISPPH2, 0330 53 56 3d 42 49 53 57 45 42 53 45 52 56 49 43 45 SV=BISWEBSERVICE 0340 30 32 2c 57 3d 33 30 53 2c 53 4c 3d 36 30 30 2c 02,W=30S,SL=600, 0350 52 4c 3d 37 31 36 38 2c 4c 53 3d 41 53 43 49 49 RL=7168,LS=ASCII 0360 2c 41 50 49 3d 39 2c 58 52 4c 3d 30 2c 41 4e 4f ,API=9,XRL=0,ANO 0370 44 45 3d 6d 74 70 6c 76 61 2d 64 6f 62 62 69 73 DE=mtplva-dobbis 0380 77 65 62 2c 41 54 59 50 45 3d 4a 61 76 61 2c 41 web,ATYPE=Java,A 0390 56 45 52 53 3d 38 2e 30 2e 30 2e 30 2c 41 4e 41 VERS=8.0.0.0,ANA 03a0 4d 45 3d 4a 61 76 61 20 52 75 6e 74 69 6d 65 2c ME=Java Runtime, 03b0 45 54 58 4c 3d 32 35 36 2e ETXL=256. Why would WIRESHARK think that the packet is SSL?
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- Prev by Date: [Wireshark-bugs] [Bug 11669] New: Buildbot crash output: fuzz-2015-11-02-10327.pcap
- Next by Date: [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- Previous by thread: [Wireshark-bugs] [Bug 11669] New: Buildbot crash output: fuzz-2015-11-02-10327.pcap
- Next by thread: [Wireshark-bugs] [Bug 11670] Protocol SSL isn't really SSL
- Index(es):