Wireshark-bugs: [Wireshark-bugs] [Bug 9875] New: SSL Hello Client
Date: Wed, 12 Mar 2014 12:26:59 +0000
Bug ID 9875
Summary SSL Hello Client
Classification Unclassified
Product Wireshark
Version 1.10.5
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter jlou@doitt.nyc.gov

Created attachment 12627 [details]
This shows the expanded packets with data using SSL.

Build Information:
Version 1.10.5 (SVNRev 54262 from /trunk-1.10)
--
I have been trying troubleshoot a problem involving FTPS (SSL/TLS). The file
transfer was taking extraordinary long time to complete.

I had been taking sniffer traces from IBM z/OS 1.13 using NBA Pilot. This
invoke Wireshark. I then create PCAP to feed into Inside the Stack, where I can
generate reports. One of them is SSL Problem Finder. It indicated that there
were 5 Hello Clients.

The IBM z/OS 1.13 is acting as client using job. It is trying to do FTPS with
server that is written by business partner using Linux platform.

I expect to see 2. The 1st is part of initial connection to Control Port. The
2nd is the result of doing Passive and connecting to the Data Port at server.

Why would I then see 3 additional Hello Client while the data transfer is going
on?

I looked at sniffer trace in question. I opened with Wireshark and went to
those packets. I saw that they were then being reported as Hello Client.

I opened ticket with IBM about this. The following is their response:

Sorry, please ignore the previous update.  I was composing it then   
   accidentally hit the Enter button.                                   

   What I meant to say was that frame numbers 50029, 51355, and 63129 in
   the large sniffer trace (session between port 5565 and 3088) are all 
   encrypted data packets (not hellos) because they carry these sequence
   of bytes:  1703010015.  If this was a hello packet, it would start   
   with this sequence of bytes: 160301xxxx01.                           

   To illustrate, here's what you see in frame number 50029:            

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  05 8c 65 7c 40 00 30 06 22 92 cc 5a e6 04 0a be   ..e|@.0."..Z....
0020  00 41 0c 10 15 bd 93 a5 db 29 ec f4 99 64 80 10   .A.......)...d..
0030  06 b4 4d 4a 00 00 01 01 08 0a cd db 82 c0 a4 f7   ..MJ............
0040  a3 d7 0a 25 e2 68 70 53 af 7e 0e 70 7e 8d 92 23   ...%.hpS.~.p~..#
0050  cb 3b a0 65 17 03 01 00 15 77 67 e4 f6 e1 59 ab   .;.e.....wg...Y.
0060  84 36 b9 54 1c eb bc d6 36 a9 be 3d 86 7f 17 03   .6.T....6..=....
0070  01 00 15 1f 0d 90 95 37 7d 56 48 a7 a4 9d 9a 49   .......7}VH....I
0080  f1 70 49 cb 4d 71 15 6f 17 03 01 00 15 a0 ee e6   .pI.Mq.o........
0090  2b 80 39 6c ac 76 85 16 dd 52 9c da e5 76 47 51   +.9l.v...R...vGQ
00a0  ef 78 17 03 01 00 15 23 26 3d b1 a9 2d ab 7c ac   .x.....#&=..-.|.
00b0  6c ab ea b1 ad f9 2e 40 a5 aa 3b 6c 17 03 01 00   l......@..;l....
00c0  15 f8 99 3c 24 4b b1 46 55 a5 80 0f 9d e7 0c 41   ...<$K.FU......A
00d0  cf 25 6c 72 ae 82 17 03 01 00 15 c5 ac f2 0c 36   .%lr...........6
00e0  20 0e 4f 63 77 74 b2 ff 77 c6 4c 21 b3 9e 94 74    .Ocwt..w.L!...t
00f0  17 03 01 00 15 83 d3 6a 4f dd 4c c3 94 64 22 71   .......jO.L..d"q
0100  04 ba 49 08 16 cb ec 3c 8f 70 17 03 01 00 15 ad   ..I....<.p......
0110  4f ac 89 5e d2 89 66 83 22 5b 88 51 36 99 d6 82   O..^..f."[.Q6...
0120  a0 c2 30 2c 17 03 01 00 15 94 80 e5 9d a0 a7 ee   ..0,............
0130  ae 2f d5 2e 43 5d 6d 31 c9 97 68 52 28 e2 17 03   ./..C]m1..hR(...
0140  01 00 15 bc 00 37 31 bc cf 03 23 63 de 42 56 fa   .....71...#c.BV.
0150  a8 06 14 64 ef 10 0f 24 17 03 01 00 15 96 b9 d8   ...d...$........
0160  ae ba 4a f3 ad 45 76 f4 9d af cd 80 41 80 78 fa   ..J..Ev.....A.x.
0170  85 1a 17 03 01 00 15 e0 e4 3b ea 56 d8 bd 35 88   .........;.V..5.
0180  54 67 83 a9 ac 28 c3 0a 9e 6e e8 79 17 03 01 00   Tg...(...n.y....
0190  15 1a f4 dc 98 83 ee c2 5d cb b6 7f 29 f3 02 45   ........]...)..E
01a0  7b 29 cc 41 2a 3f 17 03 01 00 15 0c ce 5d 84 8f   {).A*?.......]..
01b0  48 7a 53 55 3c 32 a9 81 47 6e ab 22 fe fc 13 87   HzSU<2..Gn."....
01c0  17 03 01 00 15 fc ae d0 5f 9f cb 28 9d 58 1b 04   ........_..(.X..
01d0  4d 22 6a 8c a8 7b 57 8f e0 9d 17 03 01 00 15 10   M"j..{W.........
01e0  29 ea 97 5f f6 93 f8 06 8a 74 30 fe f8 62 b9 3d   ).._.....t0..b.=
01f0  38 4a 3b 2a 17 03 01 00 15 16 c1 4f 84 73 51 c8   8J;*.......O.sQ.
0200  f8 95 b4 24 ac 9b 43 f5 cb 56 1c f7 91 67 17 03   ...$..C..V...g..

   You should see sequence 1703010015 several times from the excerpt    
   above, which indicates that they're all SSL data messages, not       
   hellos.                                                              

Unfortunately the sniffer trace is quite large. This is because the file to be
transferred was 1.83 million bytes but over 47 million bytes got transferred.
The total number of packets was almost 70k.

I am attaching print of the 3 packets in question.


You are receiving this mail because:
  • You are watching all bug changes.