Wireshark-users: Re: [Wireshark-users] Malformed SSL - Is it really?
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 12 Apr 2007 22:09:41 +0200
On Tue, Apr 10, 2007 at 11:07:29AM -0400, Small, James wrote:
> Hello,
> 
> When using Wireshark 0.99.5 on Windows, sometimes I see:
> [Malformed Packet: SSL]
> 
> e.g.:
> No.     Time        Source                Destination           Protocol Src Port Dst Port Delta       Info
>     381 15.301101   172.24.101.100        172.24.100.107        TLSv1    443      1136     0.017923    Application Data, [Malformed Packet]
> Frame 381 (1314 bytes on wire, 1314 bytes captured)
>     Arrival Time: Apr 10, 2007 10:20:40.195898000
>     [Time delta from previous packet: 0.017923000 seconds]
>     [Time since reference or first frame: 15.301101000 seconds]
>     Frame Number: 381
>     Packet Length: 1314 bytes
>     Capture Length: 1314 bytes
>     [Frame is marked: True]
>     [Protocols in frame: eth:ip:tcp:http:ssl]
>     [Coloring Rule Name: HTTP]
>     [Coloring Rule String: http || tcp.port == 80]
> Ethernet II, Src: StBernar_00:8c:e5 (00:07:e8:00:8c:e5), Dst: Dell_00:be:6b (00:12:3f:00:be:6b)
> Internet Protocol, Src: 172.24.101.100 (172.24.101.100), Dst: 172.24.100.107 (172.24.100.107)
> Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 1136 (1136), Seq: 9184, Ack: 1341, Len: 1260
> Hypertext Transfer Protocol
> Secure Socket Layer
>     TLSv1 Record Layer: Application Data Protocol: http
>         Content Type: Application Data (23)
>         Version: TLS 1.0 (0x0301)
>         Length: 1048
>         Encrypted Application Data: 986EF11CE4141826D529372C664768C27C0E749FFC4BB768...
> [Malformed Packet: SSL]
> 
> Is the packet really malformed, or is it possible that Wireshark 
> doesn't support the cipher being used?  If so, is there any way to 
> tell if the packet is really malformed versus Wireshark just not
> understanding it/the encryption scheme?

Hmmm... it does not look like an unsupported cipher, because then the
whole session should be malformed. And next to that, Wireshark gives a
message about unsupported ciphers...

If you look at the frame info, it shows protocols in frame:
[Protocols in frame: eth:ip:tcp:http:ssl]

>From the uses tcp-port (3128) it shows that this is a proxied SSL
session (many proxies use 3128 as proxy-port). I think somehow 
the SSL dissector has problems with SSL over a proxy.

Could you file this as a bug on bugzilla with a sample trace
(with the whole tcp-session if possible)?

Cheers,


Sake