Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] Interpreting TLS v1 Capture (Anti-Debug Trick?)

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Jeffrey Walton <noloader@xxxxxxxxx>
Date: Tue, 2 Jun 2009 15:43:25 -0400

Hi All,

I'm having problems interpreting a capture. It appears the program is
opening two sockets. Both are using SSL/TLS.

First Socket (TLS v1):
* TCP Three way handshake
* Client Hello
* Server Hello
  ...
  secure communications

Second Socket (TLS v1):
* TCP Three way handshake
* Client Hello

After the client hello, Wireshark is claiming '[TCP Previous segment
lost] [TCP segment of a reassembled PDU]'. I then observe a data
exchange, but Wireshark reports 'Ignored unknown data'. No information
regarding the server hello, and no 'vanilla' TCP data transfer.

I suspect that this *might* be an anti-debug/trace trick (am I being
too paranoid?). It is definitely reproducible. Has anyone encountered
similar? The server in question is
instinfo.onecare-live.com.nsatc.net.

Thanks in advance,
Jeffrey Walton
  • Follow-Ups:
    • Re: [Wireshark-users] Interpreting TLS v1 Capture (Anti-Debug Trick?)
      • From: Sake Blok
  • Prev by Date: [Wireshark-users] Multiple DTMF 2833
  • Next by Date: Re: [Wireshark-users] Multiple DTMF 2833
  • Previous by thread: Re: [Wireshark-users] Multiple DTMF 2833
  • Next by thread: Re: [Wireshark-users] Interpreting TLS v1 Capture (Anti-Debug Trick?)
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation