Wireshark-dev: [Wireshark-dev] Two "Descrypted SSL data" sections in one frame
From: Petr Gotthard <[email protected]>
Date: Sun, 08 Feb 2015 20:25:04 +0100
Hello,
 
I'm trying to add SSL support for the AMQP dissector. I managed to correctly decrypt and reassemble the application data, however from some reason the SSL dissector (or someone else?) split the application data in two blocks: the first data block contains the first byte of the AMQP frame and the second data block contains the remaining bytes.
 -- In the "Packet Details" section I can see (after the SSL sub-tree) a sub-tree "Data (1 byte)" and below it another sub-tree "[Malformed Packet: AMQP]" (the packet is malformed because it is missing the first byte)
 -- in the "Packet Bytes" section I can see two "Decrypted SSL data" sections. One with 1 byte (the first byte of an AMQP frame) and the other section with the remaining bytes of this AMQP frame.
 
Do you have any idea why did SSL create two "decrypted SSL data" sections and split the frame?
 
 
Thanks,
Petr