TCP protocol instead of SSL/TLS in Wireshark

Question

I am trying to use .NET implementation of SslStream by this tutorial. I did everything like in this article, but I have some question. I downloaded RawCap and captured packets from the localhost, after that I opened dump file(.pcap) using Wireshark, but instead of SSL or TLS type of protocol, I saw just TCP: enter image description here Here is the part of the TCP stream:

....l...h..T...........Y.2..1...t.4....8.J...../.5... ....... .2.8.......'..............SslServer. ......................M..T...M.<.......e.E...M.%c...Kg.. .....iKku.^q(C.$..;..Mx......g&./..................0...0.............L.^..F.)...{.0...+......0.1 0...U....MyCA0.. 150228143257Z. 391231235959Z0.1.0...U....SslServer0.."0 ..*.H.. ..........0.. ......p9.cq...F.^....Bm...S... .....Bg.B.<]..f[...<...q'..Tc......R...Z.C.D.D...N...1..0.v..l.<...d[=C.7.8.+^..j(...X.........D'.!*5.^.^Ef..=.6y@.=..)|...Sp..Sv.|h.-..UT..&bG.......J{.7k.X...........:.[o....o.,r.......0..Wi.s..8.Jn9........4...WU....fkmw..........D0B0@..U...907..m.....@.. ...f...0.1 0...U....MyCA..(J..j+..K......0...+...........h..X.+.M..{...n.....@.'.F........~....@9J.......A4,>.9.DE.R.V4t._bGY.,v.>G......J ....3....@..c,%[S._..u...$....!V.r....~...'.~..T*[.#[.?.B{..Z..m.p.9.7.U.u.}.e..c..H^n.:...-AJxs.. ...:... ..u.....YB....2n...y.g=...(.Fv...B.Is..GK.....;.F..Ln.....L...ao ......@...q0o1.0...U....SE1.0...U. ..AddTrust AB1&0$..U....AddTrust External TTP Network1"0 ..U....AddTrust External CA Root..0..1.0...U....US1.0...U. . GeoTrust Inc.1907..U...0(c) 2008 GeoTrust Inc. - For authorized use only1604..U...-GeoTrust Primary Certification Authority - G3.g0e1.0...U....US1.0...U.

Is this correct SSL/TLS stream? And why Wireshark marked it like TCP?

UPD: enter image description here

This is SSL but since you are using a non-standard port wireshark does not expect SSL there and thus does not decode it automatically. You have to explicitly select SSL with `Analyze | Decode As`. — Steffen Ullrich, Mar 01 '15 at 06:36
@SteffenUllrich I did what you said, but only a few packets marked like TLSv1 now(please check my update). Is it right? — konstantin_doncov, Mar 02 '15 at 18:41
The packets not marked with TLSv1 all have a length of 0. These are only ACKs which itself contain no payload and thus don't contain any TLS data. — Steffen Ullrich, Mar 02 '15 at 18:55
@SteffenUllrich but we get only TLSv1 packets if we using HTTPS or other protocols with SSL. It is troubling me... — konstantin_doncov, Mar 02 '15 at 19:01
I don't understand your problem. Of course you get only TLS packets if you are using a protocol with TLS, like HTTPS. What do you expect? — Steffen Ullrich, Mar 02 '15 at 19:56
@SteffenUllrich oh, sorry, I just now understand it: all packets which have application data(like "hello from client") marked TLSv1, but other ACKs packets use TCP and haven't my data. Is it correct? And where I can read about this? — konstantin_doncov, Mar 02 '15 at 20:08
Yes you are correct. As for reading about it - I don't know any specific resource but you should probably make yourself familiar with the basics how networks work, how TCP/IP works, how application sit on top of these protocols etc. — Steffen Ullrich, Mar 02 '15 at 20:12

score 6 · Answer 1 · answered Mar 22 '18 at 08:05

By default Wireshark uses TCP port numbers to know if this is standard TCP or TLS/SSL.

If you want to make Wireshark permanently recognize any port as SSL/TLS, then go to Edit > Preferences > Protocols > HTTP > Under SSL/TLS Ports change it from 443 to 443,5555, ... <other TLS/SSL ports go here>.

Also note that SSL traffic is encrypted, and that is why you won't be able to see the actual data being transmitted. If you want Wireshark to decrypt SSL traffic, then you will have to give it your server's private key (reference SSL dissection in Wireshark)

TCP protocol instead of SSL/TLS in Wireshark

1 Answers1