Wireshark-bugs: [Wireshark-bugs] [Bug 11670] New: Protocol SSL isn't really SSL

Date: Mon, 02 Nov 2015 17:45:20 +0000
Bug ID 11670
Summary Protocol SSL isn't really SSL
Product Wireshark
Version 1.12.5
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
I have doing an analysis of IBM z/OS environment. I notice something very
strange. It seems that when I turn on decode to do SSL I get packets that are
indicated to be SSL/TLS but aren't.

I used NBA for Z/OS from Service Pilot to capture packets that I fed into
Wireshark.

The following shows a packet with SSL indicated:


No.     Time                          Source                Destination        
  Protocol Length Info
   1010 2015-11-02 11:51:40.668670000 10.217.10.76          10.190.0.65        
  SSL      953    Continuation Data

Frame 1010: 953 bytes on wire (7624 bits), 953 bytes captured (7624 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov  2, 2015 11:51:40.668670000 Eastern Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1446483100.668670000 seconds
    [Time delta from previous captured frame: 0.000082000 seconds]
    [Time delta from previous displayed frame: 0.000082000 seconds]
    [Time since reference or first frame: 1.060650000 seconds]
    Frame Number: 1010
    Frame Length: 953 bytes (7624 bits)
    Capture Length: 953 bytes (7624 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:ssl]
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00
(00:00:00:00:00:00)
    Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)
        Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
        Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.217.10.76 (10.217.10.76), Dst: 10.190.0.65
(10.190.0.65)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT
(Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable
Transport) (0x00)
    Total Length: 939
    Identification: 0x91ff (37375)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: TCP (6)
    Header checksum: 0x882a [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 10.217.10.76 (10.217.10.76)
    Destination: 10.190.0.65 (10.190.0.65)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 40193 (40193), Dst Port: 4043 (4043),
Seq: 16291, Ack: 134021, Len: 887
    Source Port: 40193 (40193)
    Destination Port: 4043 (4043)
    [Stream index: 3]
    [TCP Segment Len: 887]
    Sequence number: 16291    (relative sequence number)
    [Next sequence number: 17178    (relative sequence number)]
    Acknowledgment number: 134021    (relative ack number)
    Header Length: 32 bytes
    .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 647
    [Calculated window size: 647]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x48dc [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 10956476, TSecr 675439395
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 10956476
            Timestamp echo reply: 675439395
    [SEQ/ACK analysis]
        [Bytes in flight: 887]
Secure Sockets Layer

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  03 ab 91 ff 40 00 3d 06 88 2a 0a d9 0a 4c 0a be   ....@.=..*...L..
0020  00 41 9d 01 0f cb f8 fe 07 99 14 fd fe 3f 80 18   .A...........?..
0030  02 87 48 dc 00 00 01 01 08 0a 00 a7 2e bc 28 42   ..H...........(B
0040  63 23 00 00 03 77 45 42 43 46 00 00 20 00 01 00   c#...wEBCF.. ...
0050  00 01 31 35 4e 6f 76 20 32 2d 30 35 30 32 30 32   ..15Nov 2-050202
0060  2d 30 30 30 30 30 30 2d 30 31 31 54 57 53 80 01   -000000-011TWS..
0070  09 24 00 00 02 7c 00 00 00 24 00 00 00 00 00 00   .$...|...$......
0080  00 00 00 00 03 4b 03 00 00 00 00 00 00 00 00 00   .....K..........
0090  00 00 42 58 53 31 50 32 34 30 20 20 20 20 20 20   ..BXS1P240      
00a0  20 20 20 31 30 30 39 34 30 36 30 30 30 31 20 20      10094060001  
00b0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
00c0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
00d0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
00e0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
00f0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0100  20 20 20 20 20 20 20 20 30 30 30 32 34 30 30 34           00024004
0110  30 31 20 20 20 20 20 20 20 20 31 34 30 33 30 30   01        140300
0120  30 33 38 30 31 20 20 20 20 20 20 20 20 20 20 20   03801           
0130  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0140  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0150  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0160  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0170  20 20 31 32 20 20 20 20 20 20 20 20 20 20 20 20     12            
0180  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0190  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
01a0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
01b0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
01c0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
01d0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
01e0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
01f0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0200  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0210  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0220  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0230  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0240  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0250  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0260  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0270  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0280  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0290  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
02a0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
02b0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
02c0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
02d0  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
02e0  20 20 20 20 20 20 20 20 20 20 2c 42 49 44 3d 6d             ,BID=m
02f0  76 73 70 2e 6e 79 63 6e 65 74 3a 34 30 34 33 2c   vsp.nycnet:4043,
0300  46 3d 53 45 4e 44 2c 55 49 44 3d 55 73 65 72 42   F=SEND,UID=UserB
0310  49 53 2c 43 49 44 3d 4e 4f 4e 45 2c 53 43 3d 50   IS,CID=NONE,SC=P
0320  38 31 30 41 2c 53 4e 3d 42 49 53 50 50 48 32 2c   810A,SN=BISPPH2,
0330  53 56 3d 42 49 53 57 45 42 53 45 52 56 49 43 45   SV=BISWEBSERVICE
0340  30 32 2c 57 3d 33 30 53 2c 53 4c 3d 36 30 30 2c   02,W=30S,SL=600,
0350  52 4c 3d 37 31 36 38 2c 4c 53 3d 41 53 43 49 49   RL=7168,LS=ASCII
0360  2c 41 50 49 3d 39 2c 58 52 4c 3d 30 2c 41 4e 4f   ,API=9,XRL=0,ANO
0370  44 45 3d 6d 74 70 6c 76 61 2d 64 6f 62 62 69 73   DE=mtplva-dobbis
0380  77 65 62 2c 41 54 59 50 45 3d 4a 61 76 61 2c 41   web,ATYPE=Java,A
0390  56 45 52 53 3d 38 2e 30 2e 30 2e 30 2c 41 4e 41   VERS=8.0.0.0,ANA
03a0  4d 45 3d 4a 61 76 61 20 52 75 6e 74 69 6d 65 2c   ME=Java Runtime,
03b0  45 54 58 4c 3d 32 35 36 2e                        ETXL=256.


Why would WIRESHARK think that the packet is SSL?


You are receiving this mail because:
  • You are watching all bug changes.