In a .NET application, communication between client and service can be implemented using various different bindings, NetTcpBinding
being one of them.
The class defines an attribute named Security
, which, according to this article, defaults to Transport
.
This further article explains how Transport
works:
The
NetTcpBinding
class uses TCP for message transport. Security for the transport mode is provided by implementing Transport Layer Security (TLS) over TCP. The TLS implementation is provided by the operating system.
This sounds to me as if, upon connecting with a WCF Service, the client would perform a TLS handshake. However, if I watch the traffic with Wireshark 3.2.3, the traffic is only recognized as "TCP", with no TLS handshakes in sight. If there is a TLS handshake going on, shouldn't Wireshark recognize it as such? Why does it only see generic "TCP Data"?
I did some more digging after this, and discovered that NetTcpBinding
in this scenario uses the .NET Message Framing Protocol, and I was able to decode the first message that went across the wire:
00 01 00
This indicated that it was a Version record, indicating version 1.0.
01 02
This was a Mode record, indicating a Duplex transmission.
02 ... ... ...
This was a Via record, which defines the URI to which subsequent records are bound.
03 08
This was a Known Encoding record, specifying that the encoding was Binary with in-band dictionary, as specified in MC-NBFSE.
09 15 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6e 65 67 6f 74 69 91 74 65
This was a Upgrade Request record, which encoded the string application/negotiate
, which indicates GSS-API Negotiation should be used, as defined in RFC 4178.
0a
This was the response from the server, indicating that the upgrade request was being honoured.
I don't really know how to proceed from here, but most packets start with 16 01 00
, which I assume is documented somewhere in the GSS-API or such? I honestly don't know enough about that. But I guess it's sufficient for my purposes.