All,
we're baffled with an issue encountered. We're monitoring (using tshark) off an inline TAP sitting between a client browser (pc) and web server. I can see the 3-way handshake incl. the SSL v3 handshake thereafter. I can see the GET / requests from client to server incl. the 'Continuation or non-HTTP traffic' from the server back to the client (in producing the HTTP response). All fine so far.
At packet 782 we start to see 'Continuation Data[Malformed Packet]' messages and I'm unable to decrypt the conversation thereafter... No more SSL dissector :(
It's also at this stage where I get heaps of duplicate ACKs from the client back to the server. The server then responds with a number of TCP retransmissions. This continues till the connection is closed (RST).
I don't see any dropped packets from the captured interface so we should have all the segments and hence be able to decrypt it, no? We really have our hair in a twist with this one :) I'm happy to share the pcap sample with anyone keen enough to help. I've searched the Internet and this forum and I didn't come up with anything tangible.
Please help!
Thx
Jaco Greyling
