Wireshark-users: Re: [Wireshark-users] Encrypted Alert

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 5 Jan 2010 01:51:11 +0100

On Mon, Jan 04, 2010 at 06:22:38PM -0500, Sheahan, John wrote:
>    I am troubleshooting some SSL conversations for an intermittent error that
>    occurs very randomly. At this point, I don't have anything to go by except
>    a trace which is supposed to have been taken during the event.

Does the problem description suggest a problem at the transport layer
(including SSL)? Or might the problem be at the Application layer? Which
protocol is carried inside SSL in your case (I assume http, but as you
know, assumption is the mother of all <beep>).


>    However, I do see an "Encrypted Alert" message just before the TCP
>    sessions FINs out....is this something to be concerned about?

That depends... the Encrypted Alert can be a normal "Close Notify"
message, this usualy happens after some application data has been
exchanged. If the Encrypted Alert comes in the ssl session setup (before
any application data has been exchanged), then it might indicate a
problem.

Hope this helps,
Cheers,


Sake

PS  Have a look at the slides of the presentation I gave at Sharkfest 
    last year, they might help you in troubleshooting SSL traffic:
    https://www.cacetech.com/sharkfest.09/AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps
    
    or watch the video of my session at:
    http://www.lovemytool.com/blog/2009/06/sake_blok_11.html