Wireshark · Wireshark-users: [Wireshark-users] Interpreting TLS v1 Capture (Anti-Debug Trick?)

Wireshark-users: [Wireshark-users] Interpreting TLS v1 Capture (Anti-Debug Trick?)

From: Jeffrey Walton <noloader@xxxxxxxxx>

Date: Tue, 2 Jun 2009 15:43:25 -0400

Hi All,

I'm having problems interpreting a capture. It appears the program is
opening two sockets. Both are using SSL/TLS.

First Socket (TLS v1):
* TCP Three way handshake
* Client Hello
* Server Hello
  ...
  secure communications

Second Socket (TLS v1):
* TCP Three way handshake
* Client Hello

After the client hello, Wireshark is claiming '[TCP Previous segment
lost] [TCP segment of a reassembled PDU]'. I then observe a data
exchange, but Wireshark reports 'Ignored unknown data'. No information
regarding the server hello, and no 'vanilla' TCP data transfer.

I suspect that this *might* be an anti-debug/trace trick (am I being
too paranoid?). It is definitely reproducible. Has anyone encountered
similar? The server in question is
instinfo.onecare-live.com.nsatc.net.

Thanks in advance,
Jeffrey Walton

Follow-Ups:
- Re: [Wireshark-users] Interpreting TLS v1 Capture (Anti-Debug Trick?)
  - From: Sake Blok

Prev by Date: [Wireshark-users] Multiple DTMF 2833
Next by Date: Re: [Wireshark-users] Multiple DTMF 2833
Previous by thread: Re: [Wireshark-users] Multiple DTMF 2833
Next by thread: Re: [Wireshark-users] Interpreting TLS v1 Capture (Anti-Debug Trick?)
Index(es):
- Date
- Thread