How is it that whireshark places TLS over HTTP whereas in the OSI model, TSL belongs to layers 5 and 6 while HTTP to layer 7 ?
with OSI model
layer 7 : HTTP layer 5 and 6: TLS
with wireshark:
Frame Internet II IPv4 TCP Hypertext transfert Protocol Transport Layer Security
Thank you for any help.
Well, can you decode TLS to actually read the content?
Otherwise TCP port 443 implies HTTPS and TLS is detected. So the representation may look odd but this is the order in which things are discovered as you read the packet.
And it may also depend a lot on how you detect protocols in WireShark.
But I guess this is more a tomato vs tomato thing. (You drink coffee, I drink tea my dear)
this is the order in which things are discovered as you read the packet.
If you're using https, then you have TLS running over TCP, and HTTP running over TLS. You might not see the HTTP in a packet sniffer unless the sniffer 1) supports TLS decryption and 2) has the information necessary to decrypt the TLS payload, but the encrypted HTTP is there, in the "Application Data" section.
What they're reporting appears to be HTTP running directly over TCP (i.e., plaintext HTTP), with the HTTP payload being TLS. That seems odd, but "odd" doesn't imply "never happens". That's why we'd like to see a network trace to see what's happening.
Comments
Can you share the capture that shows this behaviour? Use a public share such as CloudShark, Google Drive or DropBox etc. and post a link back here.
For normal https traffic, Wireshark doesn't place TLS over HTTP.
If you're seeing HTTP over TCP and TLS over HTTP, that's something unusual, so we'd need to see a capture of that traffic to see what's being done there.