Wireshark-users: [Wireshark-users] HTTP spanning multiple TLS records

From: Dmitry Bugrimenko <dmitry.bugrimenko@xxxxxxxxx>
Date: Wed, 27 Jun 2012 12:20:18 +0400
Hi,

HTTP GET request spanning multiple TLS records within same TCP segment
in one packet is decoded by Wireshark 1.8.0 (SVN Rev 43431 from
/trunk-1.8, running on Mac OS X 10.6.8 or Windows 7 64-bit) as
"Continuation of non-HTTP traffic", HTTP decode in packet details pane
is per record not for entire request. Sample trace, session key,
decoded text output are attached.

Is this a bug or expected behavior?

Thanks,
Dmitry.
No.     Time        DTime       SMAC                  DMAC                  Source                SPort  Destination           DPort  len   ttl        Protocol Stream     Window     ssl-id len ssl-id     SPort  DPort  Flags      DSCP       Info
     12 0.074393    0.001165    Apple_0a:36:9b        IcpElect_c5:51:5a     192.168.193.32        62958  192.168.193.2         https  684   64         HTTP     0          524280                           62958  443    0x0018     Default    Continuation or non-HTTP trafficContinuation or non-HTTP traffic

Frame 12: 684 bytes on wire (5472 bits), 684 bytes captured (5472 bits)
    WTAP_ENCAP: 1
    Arrival Time: Jun 27, 2012 10:35:10.972795000 GST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1340778910.972795000 seconds
    [Time delta from previous captured frame: 0.001165000 seconds]
    [Time delta from previous displayed frame: 0.001165000 seconds]
    [Time since reference or first frame: 0.074393000 seconds]
    Frame Number: 12
    Frame Length: 684 bytes (5472 bits)
    Capture Length: 684 bytes (5472 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:ssl:http:data:http:data]
    [Coloring Rule Name: HTTP]
    [Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: Apple_0a:36:9b (c4:2c:03:0a:36:9b), Dst: IcpElect_c5:51:5a (00:08:9b:c5:51:5a)
    Destination: IcpElect_c5:51:5a (00:08:9b:c5:51:5a)
        Address: IcpElect_c5:51:5a (00:08:9b:c5:51:5a)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Apple_0a:36:9b (c4:2c:03:0a:36:9b)
        Address: Apple_0a:36:9b (c4:2c:03:0a:36:9b)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.193.32 (192.168.193.32), Dst: 192.168.193.2 (192.168.193.2)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 670
    Identification: 0x3a19 (14873)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x0000 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 192.168.193.32 (192.168.193.32)
    Destination: 192.168.193.2 (192.168.193.2)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 62958 (62958), Dst Port: https (443), Seq: 345, Ack: 977, Len: 618
    Source port: 62958 (62958)
    Destination port: https (443)
    [Stream index: 0]
    Sequence number: 345    (relative sequence number)
    [Next sequence number: 963    (relative sequence number)]
    Acknowledgment number: 977    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 65535
    [Calculated window size: 524280]
    [Window size scaling factor: 8]
    Checksum: 0x0605 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 346833827, TSecr 147697
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 346833827
            Timestamp echo reply: 147697
    [SEQ/ACK analysis]
        [Bytes in flight: 618]
Secure Sockets Layer
    TLSv1 Record Layer: Application Data Protocol: http
        Content Type: Application Data (23)
        Version: TLS 1.0 (0x0301)
        Length: 32
        Encrypted Application Data: 4654c583058460517ac05dad4cbaf44fcb14cb6b650f48c4...
    TLSv1 Record Layer: Application Data Protocol: http
        Content Type: Application Data (23)
        Version: TLS 1.0 (0x0301)
        Length: 576
        Encrypted Application Data: 85697d11c6e7b1693826b9687bc9892d54a5395a4f8e8bba...
Hypertext Transfer Protocol
    Data (1 byte)
        Data: 47
        [Length: 1]
Hypertext Transfer Protocol
    Data (546 bytes)
        Data: 4554202f20485454502f312e310d0a486f73743a206e6173...
        [Length: 546]

Frame (684 bytes):

0000  00 08 9b c5 51 5a c4 2c 03 0a 36 9b 08 00 45 00   ....QZ.,..6...E.
0010  02 9e 3a 19 40 00 40 06 00 00 c0 a8 c1 20 c0 a8   ..:.@.@...... ..
0020  c1 02 f5 ee 01 bb be 5f b4 07 48 a5 35 a8 80 18   ......._..H.5...
0030  ff ff 06 05 00 00 01 01 08 0a 14 ac 43 a3 00 02   ............C...
0040  40 f1 17 03 01 00 20 46 54 c5 83 05 84 60 51 7a   @..... FT....`Qz
0050  c0 5d ad 4c ba f4 4f cb 14 cb 6b 65 0f 48 c4 61   .].L..O...ke.H.a
0060  42 92 86 78 63 f4 83 17 03 01 02 40 85 69 7d 11   [email protected]}.
0070  c6 e7 b1 69 38 26 b9 68 7b c9 89 2d 54 a5 39 5a   ...i8&.h{..-T.9Z
0080  4f 8e 8b ba 44 d5 3f 49 d5 17 a7 1e 16 2a f7 91   O...D.?I.....*..
0090  5a 20 93 0e 30 da f6 17 89 69 29 97 8f 73 f9 c6   Z ..0....i)..s..
00a0  a9 c2 19 9d 3c 72 89 fa 2d 21 35 05 7c 77 c6 f1   ....<r..-!5.|w..
00b0  d1 e5 4f 13 4d e9 b5 21 8a bd ac 0b 80 e2 0c 35   ..O.M..!.......5
00c0  fb 7e c6 7e 40 8e 39 f8 35 81 53 cf 76 5d 82 00   [email protected]]..
00d0  54 ae 24 82 c6 52 ec dd 1b a6 b7 ca f0 58 90 1f   T.$..R.......X..
00e0  32 d2 89 33 a9 31 ae d1 1b b5 45 41 cd e1 98 a5   2..3.1....EA....
00f0  01 9c dd 48 2d 10 52 62 97 57 d5 a8 ec f5 fd ad   ...H-.Rb.W......
0100  e5 f4 55 0a a7 44 88 fa cb 23 45 5a 2c 9a a8 94   ..U..D...#EZ,...
0110  4c 19 84 8a c9 22 7e 42 b6 ce cc 6c 49 89 d7 7b   L...."~B...lI..{
0120  84 6d 78 81 8c a6 de ec 5f ee 4f fd c6 5c 06 9e   .mx....._.O..\..
0130  15 bb 3f 46 24 42 bb 55 ac d9 46 cc c2 f3 e8 67   ..?F$B.U..F....g
0140  0f 46 e4 37 d3 4f c3 93 d2 c8 08 cf e9 d6 17 c5   .F.7.O..........
0150  b7 69 55 a9 9b 5d 6c 68 73 93 e4 c5 af cc c9 99   .iU..]lhs.......
0160  ec bb 92 18 0b 55 1d 50 36 a9 84 0c ab 48 5b 99   .....U.P6....H[.
0170  0e b9 62 0f 04 79 8a 49 19 b0 d7 ed d3 79 34 3e   ..b..y.I.....y4>
0180  ba a3 1d 7f 7d 26 88 96 03 bf 67 a8 5a d3 97 32   ....}&....g.Z..2
0190  08 e4 33 f7 c4 7e 53 49 7b 0d d4 ba 6c de 54 69   ..3..~SI{...l.Ti
01a0  3e 87 fa 59 45 af c9 c5 c5 23 ce 49 54 7b 3b 34   >..YE....#.IT{;4
01b0  38 8a ef e8 55 65 02 21 13 df c7 ef d0 c5 8d f4   8...Ue.!........
01c0  0e aa bc dd ad 98 2c 73 60 ca 90 ee 3d e4 42 fa   ......,s`...=.B.
01d0  19 f9 16 78 69 e4 ad 97 13 b0 8a 44 de fa 16 27   ...xi......D...'
01e0  76 38 f6 c2 95 f1 1c fa 74 fe 40 66 02 9e 3a 4b   v8......t.@f..:K
01f0  ae 77 11 29 b4 42 6f 54 b2 c6 3e b1 c6 b6 c3 61   .w.).BoT..>....a
0200  86 90 34 2b 3c ad fc 31 e9 de 92 f0 31 98 60 c9   ..4+<..1....1.`.
0210  0e 02 fc 0f 53 21 d8 db 3c c8 85 12 a2 af 3d f2   ....S!..<.....=.
0220  20 4d 65 bf 2d 19 de ef 2c 2e 0a a3 77 97 1c 34    Me.-...,...w..4
0230  13 04 1b 61 79 6d 3f 39 d6 e9 e4 aa 60 21 e5 1b   ...aym?9....`!..
0240  76 e9 53 80 db 03 f2 5e 72 ac 00 29 ca 95 fd c4   v.S....^r..)....
0250  97 d3 25 ac 8a c0 57 96 09 f2 71 5a 3d 87 b3 91   ..%...W...qZ=...
0260  9d af c8 46 3c c4 53 ce a3 a1 ce c3 37 81 2b 19   ...F<.S.....7.+.
0270  14 b2 15 33 04 fb 5e e7 7c 45 c9 ce 1e a2 1f b9   ...3..^.|E......
0280  8f 0a f2 9b 61 d2 8c db 80 dd c3 f5 2f 0c f1 e8   ....a......./...
0290  85 69 3b e0 13 64 65 30 e6 e0 fa 3a 29 2c ea c8   .i;..de0...:),..
02a0  4f 00 1e 53 66 f2 6b b4 bf b9 b9 b7               O..Sf.k.....

Decrypted SSL data (1 bytes):

0000  47                                                G

Decrypted SSL data (546 bytes):

0000  45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 48   ET / HTTP/1.1..H
0010  6f 73 74 3a 20 6e 61 73 63 35 35 31 35 61 0d 0a   ost: nasc5515a..
0020  55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69   User-Agent: Mozi
0030  6c 6c 61 2f 35 2e 30 20 28 4d 61 63 69 6e 74 6f   lla/5.0 (Macinto
0040  73 68 3b 20 49 6e 74 65 6c 20 4d 61 63 20 4f 53   sh; Intel Mac OS
0050  20 58 20 31 30 2e 36 3b 20 72 76 3a 31 33 2e 30    X 10.6; rv:13.0
0060  29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31   ) Gecko/20100101
0070  20 46 69 72 65 66 6f 78 2f 31 33 2e 30 2e 31 0d    Firefox/13.0.1.
0080  0a 41 63 63 65 70 74 3a 20 74 65 78 74 2f 68 74   .Accept: text/ht
0090  6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78   ml,application/x
00a0  68 74 6d 6c 2b 78 6d 6c 2c 61 70 70 6c 69 63 61   html+xml,applica
00b0  74 69 6f 6e 2f 78 6d 6c 3b 71 3d 30 2e 39 2c 2a   tion/xml;q=0.9,*
00c0  2f 2a 3b 71 3d 30 2e 38 0d 0a 41 63 63 65 70 74   /*;q=0.8..Accept
00d0  2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 75 73   -Language: en-us
00e0  2c 65 6e 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70   ,en;q=0.5..Accep
00f0  74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70   t-Encoding: gzip
0100  2c 20 64 65 66 6c 61 74 65 0d 0a 43 6f 6e 6e 65   , deflate..Conne
0110  63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76   ction: keep-aliv
0120  65 0d 0a 43 6f 6f 6b 69 65 3a 20 6e 61 73 5f 73   e..Cookie: nas_s
0130  61 76 65 5f 75 3d 31 3b 20 6e 61 73 5f 75 3d 59   ave_u=1; nas_u=Y
0140  57 52 74 61 57 34 3d 3b 20 6e 61 73 5f 61 64 64   WRtaW4=; nas_add
0150  72 65 73 73 3d 6e 61 73 63 35 35 31 35 61 3b 20   ress=nasc5515a; 
0160  6e 61 73 5f 73 61 76 65 5f 70 3d 31 3b 20 6e 61   nas_save_p=1; na
0170  73 5f 61 3d 59 30 64 47 65 6d 4d 7a 5a 48 5a 6a   s_a=Y0dGemMzZHZj
0180  62 56 45 39 3b 20 6e 61 73 5f 70 3d 59 57 52 74   bVE9; nas_p=YWRt
0190  61 57 35 77 59 58 4e 7a 64 32 39 79 5a 41 3d 3d   aW5wYXNzd29yZA==
01a0  3b 20 6e 61 73 5f 74 72 65 65 5f 78 3d 32 34 30   ; nas_tree_x=240
01b0  3b 20 6e 61 73 5f 74 72 65 65 5f 79 3d 33 37 30   ; nas_tree_y=370
01c0  3b 20 73 68 6f 77 5f 66 69 6c 74 65 72 3d 74 72   ; show_filter=tr
01d0  75 65 3b 20 73 68 6f 77 5f 69 6e 73 70 65 63 74   ue; show_inspect
01e0  6f 72 3d 66 61 6c 73 65 3b 20 73 6f 72 74 5f 6d   or=false; sort_m
01f0  65 74 68 6f 64 3d 71 75 65 75 65 5f 6f 72 64 65   ethod=queue_orde
0200  72 3b 20 63 6f 6d 70 61 63 74 5f 64 69 73 70 6c   r; compact_displ
0210  61 79 5f 73 74 61 74 65 3d 66 61 6c 73 65 0d 0a   ay_state=false..
0220  0d 0a                                             ..

Attachment: NASC5515A_TLSv1_RSA_with_reuse_FFox.key
Description: Binary data

Attachment: NASC5515A_TLSv1_RSA_with_reuse_FFox__cut_1-13.pcap
Description: Binary data