How do I detect TLS data inside TCP packet?

Question

I have recently been trying to learn the basics of the TLS protocol, and I am unsure about how TCP packets containing TLS data can be differentiated from those that don't.

Can someone please provide an explanation?

Answer 1

I believe that the main distinguishing factor here would be the TCP port. Port 443 is reserved for TLS/HTTPS and any communication happening on that would involve the TLS machinery to kick in. At the TLS Client side, destination port would be 443 and on TLS Server it would be the source port. TLS components can then distinguish between TLS handshake messages vs encoded application data (later is handled by the TLS Record protocol).

Answer 2

TCP - the Transmission Control Protocol - is the underlying protocol of many higher level protocols; it doesn't specify what it transports. It turns a best effort packet protocol (IP) into a two way connection that can transport any stream of data.

TLS - the Transport Layer Protocol - provides security on top of a protocol such as TCP. It has a specific protocol description where the handshake records can easily be distinguished.

However, as indicated, TCP may transport any data. So if you have a protocol that is, say, one bit different from TLS then it won't be easy to detect this small change. However, tools such as WireShark are pretty capable of detecting protocols with high certainty.

Separate data records are harder to detect, as encrypted data packets don't contain much distinguishing features. Encrypted data itself looks like random data by definition. So if you just have a few packets then you have just some structure and otherwise random data. Now such random data is probably encrypted, but other than that it isn't much use for determining the protocol.