Wireshark-dev: Re: [Wireshark-dev] (New to Wireshark) How does wireshark determine what protoco

From: Justin Seto <jseto@xxxxxxxx>
Date: Mon, 15 Oct 2007 16:03:12 -0400
I have tried changing the ports and it does recognize the packets as SSL packets.  However, the data isn't being parsed so it looks like I'm "forcing" the packet to be recognized as SSL data.  Is it possible for
This to happen?

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Justin Seto
Sent: October 15, 2007 9:05 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] (New to Wireshark) How does wireshark determine what protocol is being used?

Thank you for the response,

We are connecting over port 5494.  I believe this has to do with a
Sql server we are using.  I will investigate this possibility.

Justin

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: October 12, 2007 6:34 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] (New to Wireshark) How does wireshark determine what protocol is being used?

On Fri, Oct 12, 2007 at 05:16:08PM -0400, Justin Seto wrote:

> My company is using the Microsoft C++ standard implementation of TLS,
> i.e. plugging in the module, to handle SSL connections. When I use
> wireshark to capture data, it does not detect the SSL packets.
> However, when I read the raw data in the TCP packet, I can see the TLS
> headers in the first bytes of the data payload.  Furthermore, there
> seems to be an exchange of certificates.
>
> When I connect to an SSL enabled site over a web browser I can scope
> TLS packets.  I would like to see the same thing appear when I scope
> packets from my program.  My first question is: how does wireshark
> determine whether a packet is an SSL packet?

Is your company's program using a standard SSL port?  Wireshark detects
SSL on at least ports 636 (ldap over SSL), 993 (imap over SSL), and 995
(pop over SSL).  There is a default setting in the HTTP dissector's
preferences to decode port 443 as HTTP over SSL.


Steve

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev