On Fri, Oct 12, 2007 at 05:16:08PM -0400, Justin Seto wrote:
> My company is using the Microsoft C++ standard implementation of TLS,
> i.e. plugging in the module, to handle SSL connections. When I use
> wireshark to capture data, it does not detect the SSL packets.
> However, when I read the raw data in the TCP packet, I can see the TLS
> headers in the first bytes of the data payload. Furthermore, there
> seems to be an exchange of certificates.
>
> When I connect to an SSL enabled site over a web browser I can scope
> TLS packets. I would like to see the same thing appear when I scope
> packets from my program. My first question is: how does wireshark
> determine whether a packet is an SSL packet?
Is your company's program using a standard SSL port? Wireshark detects
SSL on at least ports 636 (ldap over SSL), 993 (imap over SSL), and 995
(pop over SSL). There is a default setting in the HTTP dissector's
preferences to decode port 443 as HTTP over SSL.
Steve