Threat Level: green Handler on Duty: John Bambenek

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

HTTPS on every port?

Published: 2018-01-22
Last Updated: 2018-01-22 21:49:03 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Take a look at this Wireshark capture:

Wireshark dissects this as SSH traffic, but is it really?

Take a look at this Wireshark capture:

Here, you get more details for the individual SSH packets. So that first capture, is probably not SSH.

Wireshark will try to decode protocols based on several criteria, one of them is the port number. If the port is 22, Wireshark will try to decode the traffic as SSH, even it it is not SSH.

The traffic in the first capture is actually TLS. To get Wireshark to decode this traffic as SSL/TLS, you right-click a packet and select "Decode As...".

And then you configure Wireshark to decode traffic with port 22 as SSL:

And now, you get traffic that is properly dissected:

As SSL/TLS becomes ubiquitous, you can expect to find SSL/TLS traffic on non-standard ports. There are a couple of tricks to recognize SSL/TLS traffic: you might see a domain name or strings from the certificate in the first packets, or if you are "brave" enough to look at raw bytes, take a look at the second and third byte of data payload of each TCP packet. If these bytes are all 03 00, or 03 01, or 03 02, or 03 03, then you are most likely dealing with SSL/TLS traffic. These values represent the SSL/TLS version: SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2.

Using Decode As... is not a permanent change: this setting is discarded when Wireshark is closed.

If you want to make this permanent, you will have to go into the configuration of the dissectors. For example, for SSL/TLS you go to the configuration of the HTTP dissector: Edit / Preferences / Protocols / HTTP

If you want to be able to quickly change decodings, I recommend you use different profiles: the default profile, and a second profile where you configure your custom ports.


Didier Stevens
Microsoft MVP Consumer Security

Keywords: tls wiresharkssl
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Retrieving malware over Tor
Jan 21st 2018
1 day ago by DidierStevens (1 comment)

An RTF phish
Jan 20th 2018
2 days ago by DidierStevens (0 comments)

Followup to IPv6 brute force and IPv6 blocking
Jan 19th 2018
4 days ago by Jim (1 comment)

Comment your Packet Captures!
Jan 18th 2018
5 days ago by Xme (2 comments)

Reviewing the spam filters: Malspam pushing Gozi-ISFB
Jan 17th 2018
5 days ago by Brad (3 comments)

View All Diaries →

Latest Discussions

Work logs for hunting
created Jan 18th 2018
5 days ago by Anonymous (0 replies)

What is airbnb doing?
created Jan 9th 2018
2 weeks ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
2 weeks ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
3 weeks ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
1 month ago by Tony (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
6 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
5 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 month ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
4 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
5 months ago by Xme (2 comments)