Wireshark not displaying application data for tcpdump using ssldump
Hello everyone
I have been testing SSLdump and I have ran into what seems to be a Wireshark problem but I'm not sure.
I have added a custom Client SSL Profile to exclude Diffie-Hellman algorithms using the following Cipher Option:
NATIVE:!DH:!EDH:!DHE:!ADH:!ECDHE
I have also adjusted the Cache Size to 0 sessions and Cache Timeout to 1 seconds so that we do not cache anything.
During the SSL Handshake we select the TLS_RSA_WITH_AES_256_CBC_SHA256 and when running the SSLdump command I get entries in the PMS log AND I can see decrypted data.
When I launch Wireshark and check the tcpdump + load the PMS I do not see any difference at all. When I check the follow SSL Stream I can see the decrypted data that I saw in the SSLdump.
But the thing is I want to see the packets in the packet list so I can follow the SYN/ACK packets with the GET requests. But I do not see any GET requests at all.
I noticed that when I have not added the PMS key I do not have any packet that states "Application Data" and I believe here is the problem. Here is how it looks when reviewing an F5 technician doing it:
No PMS:
With PMS:
Here is how my output looks (No PMS):
The output I can see in my ssldump is this:
1 10 1476792858.7953 (0.0006) C>SV3.3(336) application_data
---------------------------------------------------------------
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: sv-SE
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: [Hidden]
Connection: Keep-Alive
Cache-Control: no-cache
So there are application data but Wireshark does not want to display it in the Packet List.
I'm currently running: * Wireshark - Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12) * F5: 12.1.0 Build: 0.0.1434
I'm running the exact same tcpdump command as the F5 engineer.
You guys got any idea on how to display the packets in the Packet List?