Wireshark shows decrypted SSL contents as SSL instead of cleartext

book

Article ID: 168759

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

Decrypted SSL traffic is sent to the Copy Port. You have Wireshark running to perform packet captures on the Copy Port. However, Wireshark identifies the captured traffic as being SSL.

Cause

By default, Wireshark decodes traffic on TCP-443 as SSL.

Resolution

When viewing decrypted SSL flows, TCP-443 should be decoded as HTTP. To do this :

1. Select a packet that has TCP-443 as the Source Port or Destination Port.
2. Right click and choose Decode As.
3. On the Transport tab, select Port 443 from the drop-down box, regardless of whether it is Source or Destination.
4. In the right column, choose HTTP from the list.
5. Click OK.

Alternatively, if you select a decrypted packet on Wireshark, right-click, and choose Follow TCP Stream, you will be able to see the contents in cleartext.