Wireshark-dev: Re: [Wireshark-dev] (New to Wireshark) How does wireshark determine what protoco
From: Stephen Fisher <[email protected]>
Date: Fri, 12 Oct 2007 16:34:14 -0600
On Fri, Oct 12, 2007 at 05:16:08PM -0400, Justin Seto wrote:

> My company is using the Microsoft C++ standard implementation of TLS,
> i.e. plugging in the module, to handle SSL connections. When I use
> wireshark to capture data, it does not detect the SSL packets. 
> However, when I read the raw data in the TCP packet, I can see the TLS
> headers in the first bytes of the data payload.  Furthermore, there
> seems to be an exchange of certificates.
> When I connect to an SSL enabled site over a web browser I can scope
> TLS packets.  I would like to see the same thing appear when I scope
> packets from my program.  My first question is: how does wireshark
> determine whether a packet is an SSL packet?

Is your company's program using a standard SSL port?  Wireshark detects
SSL on at least ports 636 (ldap over SSL), 993 (imap over SSL), and 995
(pop over SSL).  There is a default setting in the HTTP dissector's
preferences to decode port 443 as HTTP over SSL.