First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Decrypt TLS - TLS1.2 seen as TCP ?

Hello Guys,

I'm facing an issue with wireshark and the TLS decryption. I have an old trace (november) from a user and his SSLKEYLOFGILE. This trace is decrypted by wireshark.

Recently, I needed to do it again but this time wireshark doesn't decrypt the TLS stream.

Source of both traces is the same user (same browser and same URL).

In the new trace the TLS 1.2 is displayed as TCP (not sure if it's the issue) but at this point I'm unable to decrypt the traffic.

I upgraded to the latest version 3.4.2 (in case of) but still the same issue.

I absolutly need to read this file (problem occurs rarely and we doesn't know how to generate the issue) so I don't have much traces :/

Can you help me?

Thanks a lot

Herve Jacquemin

hjacquemin's avatar
1
hjacquemin
asked 2022-01-21 11:15:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

3.6.1 is the latest stable version of Wireshark. Is the traffic on TCP port 443? Have you tried creating a new profile in Wireshark to eliminate config settings?

You could share the capture on a public share and link back to it here so we can check why it's not being dissected as TLS, even if we can't decrypt it.

grahamb's avatar grahamb (2022-01-21 12:01:25 +0000) edit
more
  • delete

You'll find the trace here (link valid 1 week).

I just upgraded again to 3.6.1 but still the same. I don't use profile, I use default settings.

Yes it's on port 443.

It's wierd as old trace are good and not the last one.

Thanks for your help

hjacquemin's avatar hjacquemin (2022-01-21 12:54:34 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

I just found out that the client got Zscaler client installed (was not aware). It create a tunnel at the pc start so that's normal it's tagged as TCP.

Sorry for the time lost and thanks for your help anyway !

Have a nice week-end.

hjacquemin's avatar
1
hjacquemin
answered 2022-01-21 14:07:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

The TLS sessions are proxied. Normally when there is a proxied connection over port 8080 or so, ou are able to see the "CONNECT <xxx.xxx.xxx>", the "HTTP/1.1 200 OK" and then the following packets would be shown as TLS, but since this proxy connection is using port 443 as proxy port, Wireshark seems to get confused.

As a workaround, you can disable the HTTP protocol dissector, which will expose the TLS decoding for the TLS part of the proxy connections.

SYN-bit's avatar
18.5k
SYN-bit
answered 2022-01-22 10:25:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer