Wireshark-bugs: [Wireshark-bugs] [Bug 11481] New: v1.12.x will not reassemble some tcp packets
Date: Fri, 28 Aug 2015 16:59:54 +0000
Bug ID 11481
Summary v1.12.x will not reassemble some tcp packets
Product Wireshark
Version 1.12.6
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Build process
Assignee bugzilla-admin@wireshark.org
Reporter tferguson@amadeus.com

Created attachment 13830 [details]
Packet captures of working and non-working TLS flows.

Build Information:
Sorry, I aleady upgraded to 1.99.8 (legacy) so I do not have the specific
version info. The problem was seen in v1.12.4 (64-bit); v1.12.6 (64-bit); and
v1.12.7 (64-bit).

--
Hello Wireshark,

Our company has intermittent TLS issues and we have captures of good and bad
flows. Wireshark v1.12.x shows the good flows with "tcp reassembled in PDU" and
the server certificate. However, the bad flows do not show tcp reassembled and
no server certificate. Using v1.99.8 shows the packets differently as well as
older versions like v1.2.4.

Attached is a packet capture showing the working and non-working flows. Frames
#1-27 are working and frames #28-43 are not working. Please compare frame #7
with #34.

Here are the difference seen with v1.12.x:

Frame 7: 1333 bytes on wire (10664 bits), 1333 bytes captured (10664 bits)
Ethernet II, Src: 10:f3:11:2b:ad:cb (10:f3:11:2b:ad:cb), Dst: c0:67:af:f0:8a:20
(c0:67:af:f0:8a:20)
Internet Protocol Version 4, Src: 66.185.180.169 (66.185.180.169), Dst:
82.150.229.186 (82.150.229.186)
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 52064 (52064),
Seq: 1915555025, Ack: 3519736617, Len: 1267
[3 Reassembled TCP Segments (3908 bytes): #42(1282), #43(1368), #44(1258)]
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 3903
        Handshake Protocol: Certificate
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done

Frame 34: 1333 bytes on wire (10664 bits), 1333 bytes captured (10664 bits)
Ethernet II, Src: 00:1b:0c:4a:f7:fe (00:1b:0c:4a:f7:fe), Dst: c0:8c:60:f9:72:20
(c0:8c:60:f9:72:20)
Internet Protocol Version 4, Src: 66.185.180.169 (66.185.180.169), Dst:
82.150.229.186 (82.150.229.186)
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 41487 (41487),
Seq: 1996043263, Ack: 3052627759, Len: 1267
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done


Yes, I notice the DSCP differences in the Server Hellos but I cannot say if
this is related to the TLS handshake problem.

Please let me know if more information is needed.

Thank you,

Tom Ferguson
Amadeus Network WAN Services
tferguson@amadeus.com


You are receiving this mail because:
  • You are watching all bug changes.