On Wed, May 28, 2008 at 01:34:18PM -0600, Al Aghili wrote:
>
> I think you're correct. I've included the actual frames. But it does
> look like this is retransmission. Is this something that we can change
> on the client? Why would a retransmission occur?
Uhmm... it looks like the frames you included in your mail are not
corresponding to the ones in the ssl-debug output.
> We are using tshark standard out to look at the frames. When you say
> manually remove the frame from the capture file are you suggesting to
> first have tshark create a capture file then remove the redundant frame
> from the file and then feed the capture file back through tshark for
> decryption?
Yes.
> I could programmically do that I just want to understand
> what steps I need to take and how to run tshark.
You might find 'editcap' te be handy here. You can use it like
this:
editcap <srcfile> <dstfile> <packet#11>,<packet#23>,<packet#34>
to remove packet 11, 23 and 34 from <srcfile> and save all the
other packets to <dstfile>.
Cheers,
Sake