![]() ![]() ![]() What is the expected correct behavior?Īll packets should be decrypted (and without introducing duplicate data in the decrypted stream). At the same time, the receiving host sent back ACK. The TLS debug log shows "ssl_decrypt_record: mac failed".Įnabling "ignore 'mac failed'" makes all packets decrypt, but then "follow TLS stream" shows the decrypted contents of that packet twice. So, the sending host will retransmite after retransmission timeout expires. However, frame 28 (labeled "TCP Spurious Retransmission") and all following packets from .x to 17.x.x.x don't show any decrypted data. Adding a data.len column may be useful here. frame 21) you will see the data was decrypted correctly. Make sure the "ignore 'mac failed'" setting in the TLS dissector is disabled.Įverything will appear as "Application Data" in the packet list because Wireshark can't dissect the application protocol (unless you install the apns-dissector plugin ) ), but if you look at the first packet details (eg. Set this file as the TLS master secret log: Enabling "ignore 'mac failed'" in the TLS dissector allows it to decrypt all packets, but then the decrypted stream gets duplicated data. The TCP "reassemble out of order packets" setting and the TLS "Reassemble TLS records spanning multiple TCP segments" and "Reassemble TLS Application Data spanning multiple TLS records" settings make no difference. After (and including) this packet, all packets in the client->server direction fail to decrypt. ![]() I have TLS session keys for this connection and the TLS dissector decrypts data correctly, right up to the spurious retransmission. I have a packet capture where the client retransmitted a TCP packet and Wireshark flags it as a "TCP Spurious Retransmission". ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |