In this Wireshark screenshot, there is a message type "Encrypted Data". Does anyone know what this is and in which situations this message type will be sent?
Asked
Active
Viewed 4,671 times
2 Answers
8
You should probably start with a general overview of how TLS works. We have a good introductory post here: How does SSL/TLS work?
To answer your question: every time a new TLS connection is opened, you will see something like this message exchange in Wireshark:
The Hello and Key Exchange messages are to set up an encrypted channel that only the client and the server can read. They will not send any important data until the encrypted channel has been established, after which all communication between the two will look like the Encrypted Data packet that you see. This is TLS working as intended.
As @TorstenS points out in their answer, Wireshark has the ability to decrypt TLS traffic, but you need to be in control of either the client or the server so that you can extract the session private keys and give them to Wireshark.
Mike Ounsworth
- 59,005
- 21
- 158
- 212
-
How this is different from Application Data? – HappyCoding Aug 01 '18 at 09:58
-
@HappyCoding I believe those are the same thing? The Wireshark screenshot clearly says "Encrypted Data", where are you seeing Application Data"? – Mike Ounsworth Aug 01 '18 at 11:26
-
for some other case, I saw Application Data after change cypher spec. – HappyCoding Aug 01 '18 at 13:59
-
Ah. I would guess those terms are completely interchangeable. I'm too lazy to go look in the RFC for TLS. – Mike Ounsworth Aug 01 '18 at 15:47
3
This kind of data will always be sent if there is an encrypted connection. And the reason it does not make any sense to you is exactly to prevent what you are trying to do here, i.e. eavesdropping on the data which is being exchanged.
In case you control both sides of the connection and / or the private key used for the TLS encryption, you will be able to decrypt the information using wireshark.
Take a look at https://ask.wireshark.org/question/500/how-to-get-tlsv12-to-decode/.
TorstenS
- 818
- 4
- 9
-
"In case you control both sides of the connection and / or the private key used for the TLS encryption" and if the connection does not use ephemeral keys, otherwise there is no way to decrypt after the fact ( Forward Privacy) – Patrick Mevzek Jul 30 '18 at 22:39
-
@PatrickMevzek theoretically you can still get the client or server to dump the ephemeral keys, right? – user253751 Jul 31 '18 at 01:33