Hello,
When using Wireshark 0.99.5 on Windows, sometimes I see:
[Malformed Packet: SSL]
e.g.:
No. Time Source Destination Protocol Src Port Dst Port Delta Info
381 15.301101 172.24.101.100 172.24.100.107 TLSv1 443 1136 0.017923 Application Data, [Malformed Packet]
Frame 381 (1314 bytes on wire, 1314 bytes captured)
Arrival Time: Apr 10, 2007 10:20:40.195898000
[Time delta from previous packet: 0.017923000 seconds]
[Time since reference or first frame: 15.301101000 seconds]
Frame Number: 381
Packet Length: 1314 bytes
Capture Length: 1314 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:http:ssl]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: StBernar_00:8c:e5 (00:07:e8:00:8c:e5), Dst: Dell_00:be:6b (00:12:3f:00:be:6b)
Internet Protocol, Src: 172.24.101.100 (172.24.101.100), Dst: 172.24.100.107 (172.24.100.107)
Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 1136 (1136), Seq: 9184, Ack: 1341, Len: 1260
Hypertext Transfer Protocol
Secure Socket Layer
TLSv1 Record Layer: Application Data Protocol: http
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 1048
Encrypted Application Data: 986EF11CE4141826D529372C664768C27C0E749FFC4BB768...
[Malformed Packet: SSL]
Is the packet really malformed, or is it possible that Wireshark doesn't support the cipher being used? If so, is there any way to tell if the packet is really malformed versus Wireshark just not understanding it/the encryption scheme?
Thanks,
--Jim