Wireshark-users: Re: [Wireshark-users] https: why is http request not shown while response is?

From: Mohamed Lrhazi <lrhazi@xxxxxxx>
Date: Tue, 17 Apr 2018 14:46:38 -0400
Thanks Peter. I cannot share the key, but here is the view of the 253 frame, decrypted SSL... looks like it did decrypt it.

On Tue, Apr 17, 2018 at 2:34 PM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
Hi Mohamed,

Is it possible to share the stream (pcap) + keys? Alternatively, show the "Decrypted SSL" bytes in the request. The request is in frame 253, and something signals to the SSL/TLS dissector that the HTTP request is incomplete.

This could be a POST request where the request body is smaller than the specified Content-Length header, or for other reasons.

Kind regards,
Peter
https://lekensteyn.nl
(pardon my brevity, top-posting and formatting, sent from my phone)


On April 17, 2018 5:23:47 PM GMT+02:00, Mohamed Lrhazi <lrhazi@xxxxxxx> wrote:
>What would cause this issue... clearly decryption of traffic did work,
>since I can see the http response!
>
>Note that if I do "Follow SSL stream" I do see the http get request
>text
>just fine!
>
>I just updated to the latest, but still see same behavior. Version
>2.4.6
>(v2.4.6-0-ge2f395aa12)



--
Thanks,
Mohamed.

Attachment: wireshark http decrypt oddity 2.png
Description: PNG image