Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 6434] data combined via ssl_desegment_app_data not visible via "Follow SSL Str

[bugzilla-daemon@xxxxxxxxxxxxx]

Comment # 6 on bug 6434 from Joe McEachern

Created attachment 9896 [details]
Example capture file

Here is a sample capture file that will exhibit the issue. There is an SSL
session between 192.168.200.2 and 6.0.0.1 at port 443. The 192.168.200.2 device
uses lots of small SSL Records. Many per TCP packet.

Here is the private key for 6.0.0.1. Add a rule for 6.0.0.1 port 443 decode as
http. Then try to use the follow SSL stream option.

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCbpI36Icdu0LhX1Yl57u2vi0XKxbrd47KnoN1lBNkQQeJUsafO
T9HX0YlcZuov3RNtnX/geJj6ze0lTw8nyEAgfud0PReHYqKsH8DKgeFHA1wxeOTY
w5LS3isfrgwvWCSRRNIPsDSuejjgfWFS7UWOGXvuw6hndjqTqfToqzeVbQIDAQAB
AoGAR7UOvHknmwSKid0V05mi5Ee0RfHHYEdxng1dMxeCshzIm+ClwUXBFj+xm2LG
7npaYxw3OEIXqSWK5q9/+gImmJokUgBa9YOr8Q7RwvybOa2ovRuoinYwjdhG2ciz
BB2yhOVFn6H0lMSWOqUT4IOCA/MnUXQfBwyOZUqGMWolAHkCQQDMQX3bBjfSSoQc
/hJfyqHJvSOO3RxX3m/GdLgk6xGDKXwNjdikNwnGgfpIjSVnpFUEECFrar4yM1Of
ONxnzYrvAkEAwxJiZL0ad1IHVAL87LS7s9xhoKkDXNd4iUSJn4F+RwLlIKiKwA40
SLlmABI1xLA8Co7QLmdh6gZ0WLUP5/7VYwJBAJLjPjj2fcpTIDMhW+FbfYHw7NNe
m3VtV4Cmi46xJcTnXnj42yUtF3CUJINsTcv81862MvJmryS22JoWcBqOLC0CQDUc
JUPOJI2F/M7HvXrovg37G211dp/pXjzpNxsBU5Mb26wnlxcxBtUh/P5Z9t+lJ8Os
HEv2A7eGqFiae0krnYcCQQDGS+huNjh9lqPDeLNZAevTTU/w3OpguVyxQNkQk5ZZ
xWGsXj/iqYz78Ho2eBHlCX1yYFE3xo87SDazeT9D5GdO
-----END RSA PRIVATE KEY-----

You can also download the capture directly from CloudShark.

http://cloudshark.org/captures/b7d22478673a

Note that the SSL stream from 6.0.0.1 -> 192.168.200.2 looks fine. Its only the
SSL stream from 192.168.200.2 -> 6.0.0.1.

I will add two more attachments that show what the data looks like and what it
should look like when follow SSL is used.

---

      You are receiving this mail because:

• You are watching all bug changes.