On Jan 11, 2012, at 9:26 PM, P R wrote:
> I had to do troubleshoot an SSL handshake recently and hence requested a snoop to be taken on the server side from my client. I opened the PCAP snoop in 1.6.2 version and decoded the packets as SSL. The result I see in Wireshark 1.6.2 was entirely different from what my client was seeing. He uses 1.2 to view the same trace and the SSL handshake seem to be very obvious in the older version. Even the tcp.stream was different between 2 versions of the same trace. In the new version, I get "Ignored unkown record" while the older version clearly shows the client hello, server hello and the certificate being exchanged from the server to the client.
We'd probably have to see the capture in order to try to determine what the problem is (and thus to be able to suggest a solution). There might be a bug in the SSL dissector introduced after the 1.2 version. (There do not appear to be any changes to the SSL dissector in the 1.6 branch after 1.6.2 other than a memory leak fix, so upgrading to the latest 1.6.x release, 1.6.5, probably won't help - but you might want to try it anyway.)
