Wireshark · Wireshark-users: [Wireshark-users] Wrong protocol detection

Wireshark-users: [Wireshark-users] Wrong protocol detection - wrong decryption

Date: Tue, 3 Apr 2012 11:06:31 +0100

I'm trying to decrypt a starttls connection via smtp. I have done it
before without any trouble. However, I am having some trouble now.

I have seen that wireshark does not recognise the protocol properly.
It shows TLSv1 (SSL in tshark) when it should be SMTP.

Is this normal?

Thanks


wireshark 1.6.4
gnutls 2.12.18
libgcrypt 1.4.6
openssl 1.0.0h

  8   0.002115 10.141.188.79 -> 10.141.188.73 SSL 104 Continuation Data

0000  00 1e 68 c0 d3 fe 00 0c 29 90 07 25 08 00 45 00   ..h.....)..%..E.
0010  00 5a c8 fa 40 00 40 06 e3 f0 0a 8d bc 4f 0a 8d   .Z..@.@......O..
0020  bc 49 92 dd 00 19 e6 3c 0a 3b 87 f0 61 e3 80 18   .I.....<.;..a...
0030  00 5c 8d ff 00 00 01 01 08 0a 00 3f c2 ce 1d 27   .\.........?...'
0040  56 bf 45 48 4c 4f 20 61 6e 61 78 61 67 6f 72 61   V.EHLO anaxagora
[deleted]

  9   0.002689 10.141.188.73 -> 10.141.188.79 SSL 337 Continuation Data

0000  00 0c 29 90 07 25 00 1e 68 c0 d3 fe 08 00 45 00   ..)..%..h.....E.
0010  01 43 73 f9 40 00 80 06 f8 08 0a 8d bc 49 0a 8d   .Cs.@........I..
0020  bc 4f 00 19 92 dd 87 f0 61 e3 e6 3c 0a 61 80 18   .O......a..<.a..
0030  01 04 ac 41 00 00 01 01 08 0a 1d 27 56 bf 00 3f   ...A.......'V..?
0040  c2 ce 32 35 30 2d 64 69 6f 67 65 6e 65 73 2e 63   ..250-diogenes.c
[deleted]
0060  6f 72 67 20 48 65 6c 6c 6f 20 5b 31 30 2e 31 34   org Hello [10.14
0070  31 2e 31 38 38 2e 37 39 5d 0d 0a 32 35 30 2d 53   1.188.79]..250-S
0080  49 5a 45 0d 0a 32 35 30 2d 50 49 50 45 4c 49 4e   IZE..250-PIPELIN
0090  49 4e 47 0d 0a 32 35 30 2d 44 53 4e 0d 0a 32 35   ING..250-DSN..25
00a0  30 2d 45 4e 48 41 4e 43 45 44 53 54 41 54 55 53   0-ENHANCEDSTATUS
00b0  43 4f 44 45 53 0d 0a 32 35 30 2d 53 54 41 52 54   CODES..250-START
00c0  54 4c 53 0d 0a 32 35 30 2d 58 2d 41 4e 4f 4e 59   TLS..250-X-ANONY
00d0  4d 4f 55 53 54 4c 53 0d 0a 32 35 30 2d 41 55 54   MOUSTLS..250-AUT
00e0  48 20 4e 54 4c 4d 0d 0a 32 35 30 2d 58 2d 45 58   H NTLM..250-X-EX
00f0  50 53 20 47 53 53 41 50 49 20 4e 54 4c 4d 0d 0a   PS GSSAPI NTLM..
0100  32 35 30 2d 38 42 49 54 4d 49 4d 45 0d 0a 32 35   250-8BITMIME..25
0110  30 2d 42 49 4e 41 52 59 4d 49 4d 45 0d 0a 32 35   0-BINARYMIME..25
0120  30 2d 43 48 55 4e 4b 49 4e 47 0d 0a 32 35 30 2d   0-CHUNKING..250-
0130  58 45 58 43 48 35 30 0d 0a 32 35 30 2d 58 52 44   XEXCH50..250-XRD
0140  53 54 0d 0a 32 35 30 20 58 53 48 41 44 4f 57 0d   ST..250 XSHADOW.
0150  0a                                                .

 10   0.002845 10.141.188.79 -> 10.141.188.73 SSL 76 Continuation Data

0000  00 1e 68 c0 d3 fe 00 0c 29 90 07 25 08 00 45 00   ..h.....)..%..E.
0010  00 3e c8 fb 40 00 40 06 e4 0b 0a 8d bc 4f 0a 8d   .>..@.@......O..
0020  bc 49 92 dd 00 19 e6 3c 0a 61 87 f0 62 f2 80 18   .I.....<.a..b...
0030  00 6c 8d e3 00 00 01 01 08 0a 00 3f c2 ce 1d 27   .l.........?...'
0040  56 bf 53 54 41 52 54 54 4c 53 0d 0a               V.STARTTLS..

 11   0.003216 10.141.188.73 -> 10.141.188.79 SSL 95 Continuation Data

0000  00 0c 29 90 07 25 00 1e 68 c0 d3 fe 08 00 45 00   ..)..%..h.....E.
0010  00 51 73 fa 40 00 80 06 f8 f9 0a 8d bc 49 0a 8d   .Qs.@........I..
0020  bc 4f 00 19 92 dd 87 f0 62 f2 e6 3c 0a 6b 80 18   .O......b..<.k..
0030  01 04 e0 bc 00 00 01 01 08 0a 1d 27 56 bf 00 3f   ...........'V..?
0040  c2 ce 32 32 30 20 32 2e 30 2e 30 20 53 4d 54 50   ..220 2.0.0 SMTP
0050  20 73 65 72 76 65 72 20 72 65 61 64 79 0d 0a       server ready..

Follow-Ups:
- Re: [Wireshark-users] Wrong protocol detection - wrong decryption
  - From: bitozoid

Next by Date: Re: [Wireshark-users] Wrong protocol detection - wrong decryption
Next by thread: Re: [Wireshark-users] Wrong protocol detection - wrong decryption
Index(es):
- Date
- Thread