Wireshark not displaying application data for tcpdump using ssldump

Hello everyone

I have been testing SSLdump and I have ran into what seems to be a Wireshark problem but I'm not sure.

I have added a custom Client SSL Profile to exclude Diffie-Hellman algorithms using the following Cipher Option:

NATIVE:!DH:!EDH:!DHE:!ADH:!ECDHE

I have also adjusted the Cache Size to 0 sessions and Cache Timeout to 1 seconds so that we do not cache anything.

During the SSL Handshake we select the TLS_RSA_WITH_AES_256_CBC_SHA256 and when running the SSLdump command I get entries in the PMS log AND I can see decrypted data.

When I launch Wireshark and check the tcpdump + load the PMS I do not see any difference at all. When I check the follow SSL Stream I can see the decrypted data that I saw in the SSLdump.

But the thing is I want to see the packets in the packet list so I can follow the SYN/ACK packets with the GET requests. But I do not see any GET requests at all.

I noticed that when I have not added the PMS key I do not have any packet that states "Application Data" and I believe here is the problem. Here is how it looks when reviewing an F5 technician doing it:

No PMS:

With PMS:

Here is how my output looks (No PMS):

The output I can see in my ssldump is this:

1 10 1476792858.7953 (0.0006)  C>SV3.3(336)  application_data
---------------------------------------------------------------
GET / HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Accept-Language: sv-SE

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko

Accept-Encoding: gzip, deflate

Host: [Hidden]

Connection: Keep-Alive

Cache-Control: no-cache

So there are application data but Wireshark does not want to display it in the Packet List.

I'm currently running: * Wireshark - Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12) * F5: 12.1.0 Build: 0.0.1434

I'm running the exact same tcpdump command as the F5 engineer.

You guys got any idea on how to display the packets in the Packet List?