Wireshark-users: [Wireshark-users] HTTP spanning multiple TLS records
From: Dmitry Bugrimenko <dmitry.bugrimenko@xxxxxxxxx>
Date: Wed, 27 Jun 2012 12:20:18 +0400
Hi, HTTP GET request spanning multiple TLS records within same TCP segment in one packet is decoded by Wireshark 1.8.0 (SVN Rev 43431 from /trunk-1.8, running on Mac OS X 10.6.8 or Windows 7 64-bit) as "Continuation of non-HTTP traffic", HTTP decode in packet details pane is per record not for entire request. Sample trace, session key, decoded text output are attached. Is this a bug or expected behavior? Thanks, Dmitry.
No. Time DTime SMAC DMAC Source SPort Destination DPort len ttl Protocol Stream Window ssl-id len ssl-id SPort DPort Flags DSCP Info
12 0.074393 0.001165 Apple_0a:36:9b IcpElect_c5:51:5a 192.168.193.32 62958 192.168.193.2 https 684 64 HTTP 0 524280 62958 443 0x0018 Default Continuation or non-HTTP trafficContinuation or non-HTTP traffic
Frame 12: 684 bytes on wire (5472 bits), 684 bytes captured (5472 bits)
WTAP_ENCAP: 1
Arrival Time: Jun 27, 2012 10:35:10.972795000 GST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1340778910.972795000 seconds
[Time delta from previous captured frame: 0.001165000 seconds]
[Time delta from previous displayed frame: 0.001165000 seconds]
[Time since reference or first frame: 0.074393000 seconds]
Frame Number: 12
Frame Length: 684 bytes (5472 bits)
Capture Length: 684 bytes (5472 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp:ssl:http:data:http:data]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: Apple_0a:36:9b (c4:2c:03:0a:36:9b), Dst: IcpElect_c5:51:5a (00:08:9b:c5:51:5a)
Destination: IcpElect_c5:51:5a (00:08:9b:c5:51:5a)
Address: IcpElect_c5:51:5a (00:08:9b:c5:51:5a)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Apple_0a:36:9b (c4:2c:03:0a:36:9b)
Address: Apple_0a:36:9b (c4:2c:03:0a:36:9b)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.193.32 (192.168.193.32), Dst: 192.168.193.2 (192.168.193.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 670
Identification: 0x3a19 (14873)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x0000 [validation disabled]
[Good: False]
[Bad: False]
Source: 192.168.193.32 (192.168.193.32)
Destination: 192.168.193.2 (192.168.193.2)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 62958 (62958), Dst Port: https (443), Seq: 345, Ack: 977, Len: 618
Source port: 62958 (62958)
Destination port: https (443)
[Stream index: 0]
Sequence number: 345 (relative sequence number)
[Next sequence number: 963 (relative sequence number)]
Acknowledgment number: 977 (relative ack number)
Header length: 32 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 65535
[Calculated window size: 524280]
[Window size scaling factor: 8]
Checksum: 0x0605 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 346833827, TSecr 147697
Kind: Timestamp (8)
Length: 10
Timestamp value: 346833827
Timestamp echo reply: 147697
[SEQ/ACK analysis]
[Bytes in flight: 618]
Secure Sockets Layer
TLSv1 Record Layer: Application Data Protocol: http
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 32
Encrypted Application Data: 4654c583058460517ac05dad4cbaf44fcb14cb6b650f48c4...
TLSv1 Record Layer: Application Data Protocol: http
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 576
Encrypted Application Data: 85697d11c6e7b1693826b9687bc9892d54a5395a4f8e8bba...
Hypertext Transfer Protocol
Data (1 byte)
Data: 47
[Length: 1]
Hypertext Transfer Protocol
Data (546 bytes)
Data: 4554202f20485454502f312e310d0a486f73743a206e6173...
[Length: 546]
Frame (684 bytes):
0000 00 08 9b c5 51 5a c4 2c 03 0a 36 9b 08 00 45 00 ....QZ.,..6...E.
0010 02 9e 3a 19 40 00 40 06 00 00 c0 a8 c1 20 c0 a8 ..:.@.@...... ..
0020 c1 02 f5 ee 01 bb be 5f b4 07 48 a5 35 a8 80 18 ......._..H.5...
0030 ff ff 06 05 00 00 01 01 08 0a 14 ac 43 a3 00 02 ............C...
0040 40 f1 17 03 01 00 20 46 54 c5 83 05 84 60 51 7a @..... FT....`Qz
0050 c0 5d ad 4c ba f4 4f cb 14 cb 6b 65 0f 48 c4 61 .].L..O...ke.H.a
0060 42 92 86 78 63 f4 83 17 03 01 02 40 85 69 7d 11 B..xc......@.i}.
0070 c6 e7 b1 69 38 26 b9 68 7b c9 89 2d 54 a5 39 5a ...i8&.h{..-T.9Z
0080 4f 8e 8b ba 44 d5 3f 49 d5 17 a7 1e 16 2a f7 91 O...D.?I.....*..
0090 5a 20 93 0e 30 da f6 17 89 69 29 97 8f 73 f9 c6 Z ..0....i)..s..
00a0 a9 c2 19 9d 3c 72 89 fa 2d 21 35 05 7c 77 c6 f1 ....<r..-!5.|w..
00b0 d1 e5 4f 13 4d e9 b5 21 8a bd ac 0b 80 e2 0c 35 ..O.M..!.......5
00c0 fb 7e c6 7e 40 8e 39 f8 35 81 53 cf 76 5d 82 00 .~.~@.9.5.S.v]..
00d0 54 ae 24 82 c6 52 ec dd 1b a6 b7 ca f0 58 90 1f T.$..R.......X..
00e0 32 d2 89 33 a9 31 ae d1 1b b5 45 41 cd e1 98 a5 2..3.1....EA....
00f0 01 9c dd 48 2d 10 52 62 97 57 d5 a8 ec f5 fd ad ...H-.Rb.W......
0100 e5 f4 55 0a a7 44 88 fa cb 23 45 5a 2c 9a a8 94 ..U..D...#EZ,...
0110 4c 19 84 8a c9 22 7e 42 b6 ce cc 6c 49 89 d7 7b L...."~B...lI..{
0120 84 6d 78 81 8c a6 de ec 5f ee 4f fd c6 5c 06 9e .mx....._.O..\..
0130 15 bb 3f 46 24 42 bb 55 ac d9 46 cc c2 f3 e8 67 ..?F$B.U..F....g
0140 0f 46 e4 37 d3 4f c3 93 d2 c8 08 cf e9 d6 17 c5 .F.7.O..........
0150 b7 69 55 a9 9b 5d 6c 68 73 93 e4 c5 af cc c9 99 .iU..]lhs.......
0160 ec bb 92 18 0b 55 1d 50 36 a9 84 0c ab 48 5b 99 .....U.P6....H[.
0170 0e b9 62 0f 04 79 8a 49 19 b0 d7 ed d3 79 34 3e ..b..y.I.....y4>
0180 ba a3 1d 7f 7d 26 88 96 03 bf 67 a8 5a d3 97 32 ....}&....g.Z..2
0190 08 e4 33 f7 c4 7e 53 49 7b 0d d4 ba 6c de 54 69 ..3..~SI{...l.Ti
01a0 3e 87 fa 59 45 af c9 c5 c5 23 ce 49 54 7b 3b 34 >..YE....#.IT{;4
01b0 38 8a ef e8 55 65 02 21 13 df c7 ef d0 c5 8d f4 8...Ue.!........
01c0 0e aa bc dd ad 98 2c 73 60 ca 90 ee 3d e4 42 fa ......,s`...=.B.
01d0 19 f9 16 78 69 e4 ad 97 13 b0 8a 44 de fa 16 27 ...xi......D...'
01e0 76 38 f6 c2 95 f1 1c fa 74 fe 40 66 02 9e 3a 4b v8......t.@f..:K
01f0 ae 77 11 29 b4 42 6f 54 b2 c6 3e b1 c6 b6 c3 61 .w.).BoT..>....a
0200 86 90 34 2b 3c ad fc 31 e9 de 92 f0 31 98 60 c9 ..4+<..1....1.`.
0210 0e 02 fc 0f 53 21 d8 db 3c c8 85 12 a2 af 3d f2 ....S!..<.....=.
0220 20 4d 65 bf 2d 19 de ef 2c 2e 0a a3 77 97 1c 34 Me.-...,...w..4
0230 13 04 1b 61 79 6d 3f 39 d6 e9 e4 aa 60 21 e5 1b ...aym?9....`!..
0240 76 e9 53 80 db 03 f2 5e 72 ac 00 29 ca 95 fd c4 v.S....^r..)....
0250 97 d3 25 ac 8a c0 57 96 09 f2 71 5a 3d 87 b3 91 ..%...W...qZ=...
0260 9d af c8 46 3c c4 53 ce a3 a1 ce c3 37 81 2b 19 ...F<.S.....7.+.
0270 14 b2 15 33 04 fb 5e e7 7c 45 c9 ce 1e a2 1f b9 ...3..^.|E......
0280 8f 0a f2 9b 61 d2 8c db 80 dd c3 f5 2f 0c f1 e8 ....a......./...
0290 85 69 3b e0 13 64 65 30 e6 e0 fa 3a 29 2c ea c8 .i;..de0...:),..
02a0 4f 00 1e 53 66 f2 6b b4 bf b9 b9 b7 O..Sf.k.....
Decrypted SSL data (1 bytes):
0000 47 G
Decrypted SSL data (546 bytes):
0000 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 ET / HTTP/1.1..H
0010 6f 73 74 3a 20 6e 61 73 63 35 35 31 35 61 0d 0a ost: nasc5515a..
0020 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 User-Agent: Mozi
0030 6c 6c 61 2f 35 2e 30 20 28 4d 61 63 69 6e 74 6f lla/5.0 (Macinto
0040 73 68 3b 20 49 6e 74 65 6c 20 4d 61 63 20 4f 53 sh; Intel Mac OS
0050 20 58 20 31 30 2e 36 3b 20 72 76 3a 31 33 2e 30 X 10.6; rv:13.0
0060 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 ) Gecko/20100101
0070 20 46 69 72 65 66 6f 78 2f 31 33 2e 30 2e 31 0d Firefox/13.0.1.
0080 0a 41 63 63 65 70 74 3a 20 74 65 78 74 2f 68 74 .Accept: text/ht
0090 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 ml,application/x
00a0 68 74 6d 6c 2b 78 6d 6c 2c 61 70 70 6c 69 63 61 html+xml,applica
00b0 74 69 6f 6e 2f 78 6d 6c 3b 71 3d 30 2e 39 2c 2a tion/xml;q=0.9,*
00c0 2f 2a 3b 71 3d 30 2e 38 0d 0a 41 63 63 65 70 74 /*;q=0.8..Accept
00d0 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 75 73 -Language: en-us
00e0 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70 ,en;q=0.5..Accep
00f0 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 t-Encoding: gzip
0100 2c 20 64 65 66 6c 61 74 65 0d 0a 43 6f 6e 6e 65 , deflate..Conne
0110 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 ction: keep-aliv
0120 65 0d 0a 43 6f 6f 6b 69 65 3a 20 6e 61 73 5f 73 e..Cookie: nas_s
0130 61 76 65 5f 75 3d 31 3b 20 6e 61 73 5f 75 3d 59 ave_u=1; nas_u=Y
0140 57 52 74 61 57 34 3d 3b 20 6e 61 73 5f 61 64 64 WRtaW4=; nas_add
0150 72 65 73 73 3d 6e 61 73 63 35 35 31 35 61 3b 20 ress=nasc5515a;
0160 6e 61 73 5f 73 61 76 65 5f 70 3d 31 3b 20 6e 61 nas_save_p=1; na
0170 73 5f 61 3d 59 30 64 47 65 6d 4d 7a 5a 48 5a 6a s_a=Y0dGemMzZHZj
0180 62 56 45 39 3b 20 6e 61 73 5f 70 3d 59 57 52 74 bVE9; nas_p=YWRt
0190 61 57 35 77 59 58 4e 7a 64 32 39 79 5a 41 3d 3d aW5wYXNzd29yZA==
01a0 3b 20 6e 61 73 5f 74 72 65 65 5f 78 3d 32 34 30 ; nas_tree_x=240
01b0 3b 20 6e 61 73 5f 74 72 65 65 5f 79 3d 33 37 30 ; nas_tree_y=370
01c0 3b 20 73 68 6f 77 5f 66 69 6c 74 65 72 3d 74 72 ; show_filter=tr
01d0 75 65 3b 20 73 68 6f 77 5f 69 6e 73 70 65 63 74 ue; show_inspect
01e0 6f 72 3d 66 61 6c 73 65 3b 20 73 6f 72 74 5f 6d or=false; sort_m
01f0 65 74 68 6f 64 3d 71 75 65 75 65 5f 6f 72 64 65 ethod=queue_orde
0200 72 3b 20 63 6f 6d 70 61 63 74 5f 64 69 73 70 6c r; compact_displ
0210 61 79 5f 73 74 61 74 65 3d 66 61 6c 73 65 0d 0a ay_state=false..
0220 0d 0a ..
Attachment:
NASC5515A_TLSv1_RSA_with_reuse_FFox.key
Description: Binary data
Attachment:
NASC5515A_TLSv1_RSA_with_reuse_FFox__cut_1-13.pcap
Description: Binary data
- Prev by Date: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture
- Next by Date: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture
- Previous by thread: [Wireshark-users] Any way wire/tshark could do cross-platform rpcap, similar to OPNET capture manager and its agents?
- Next by thread: [Wireshark-users] hosts file for SS7 pointcodes ?
- Index(es):