Why do some TLS packets show 'Application Data' in the 'Info' column while others show nothing, despite the fact that they have a payload?

payload
application
data
TLS
retag add tags

This PCAP file was captured from Thunderbird(POP). I want to include only TLS payload which I can use 'tls.app_data' filter command. However, I noticed that normally, TLS packets with a payload will show 'Application Data' in the 'Info' column, but as you can see, some just show blank, despite having a payload. What do they mean?

Thank you

pairycoo

asked 2021-10-26 09:59:10 +0000

23.8k

grahamb

updated 2021-10-26 10:19:58 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Can you provide a larger screen shot (that includes the display filter) or capture file?
What version of Wireshark? (add output of wireshark -v or Help->About Wireshark to question)

Chuckc (2021-10-26 15:08:53 +0000) edit

Thanks for your reply @Chuckc. Please follow this link for a larger photo https://ibb.co/5RzYvR5. This is my filter 'tls and !tls.handshake and !_ws.expert' We can see the packets belong to the TLS protocol and all have a payload. Why all of their payloads is not TLS payloads whereas the protocol is TLSv1.2?

PS. My Wireshark version is 3.2.1.

pairycoo (2021-10-26 15:51:11 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Why do some TLS packets show 'Application Data' in the 'Info' column while others show nothing, despite the fact that they have a payload? edit

Comments

1 Answer

Comments