Wireshark-users: [Wireshark-users] Malformed SSL - Is it really?
From: "Small, James" <[email protected]>
Date: Tue, 10 Apr 2007 11:07:29 -0400
Hello,
 
When using Wireshark 0.99.5 on Windows, sometimes I see:
[Malformed Packet: SSL]
 
e.g.:
No.     Time        Source                Destination           Protocol Src Port Dst Port Delta       Info
    381 15.301101   172.24.101.100        172.24.100.107        TLSv1    443      1136     0.017923    Application Data, [Malformed Packet]
Frame 381 (1314 bytes on wire, 1314 bytes captured)
    Arrival Time: Apr 10, 2007 10:20:40.195898000
    [Time delta from previous packet: 0.017923000 seconds]
    [Time since reference or first frame: 15.301101000 seconds]
    Frame Number: 381
    Packet Length: 1314 bytes
    Capture Length: 1314 bytes
    [Frame is marked: True]
    [Protocols in frame: eth:ip:tcp:http:ssl]
    [Coloring Rule Name: HTTP]
    [Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: StBernar_00:8c:e5 (00:07:e8:00:8c:e5), Dst: Dell_00:be:6b (00:12:3f:00:be:6b)
Internet Protocol, Src: 172.24.101.100 (172.24.101.100), Dst: 172.24.100.107 (172.24.100.107)
Transmission Control Protocol, Src Port: 3128 (3128), Dst Port: 1136 (1136), Seq: 9184, Ack: 1341, Len: 1260
Hypertext Transfer Protocol
Secure Socket Layer
    TLSv1 Record Layer: Application Data Protocol: http
        Content Type: Application Data (23)
        Version: TLS 1.0 (0x0301)
        Length: 1048
        Encrypted Application Data: 986EF11CE4141826D529372C664768C27C0E749FFC4BB768...
[Malformed Packet: SSL]
Is the packet really malformed, or is it possible that Wireshark doesn't support the cipher being used?  If so, is there any way to tell if the packet is really malformed versus Wireshark just not understanding it/the encryption scheme?
 
Thanks,
  --Jim