Why does Wireshark not recognize WCF traffic as TLS encrypted?


In a .NET application, communication between client and service can be implemented using various different bindings, NetTcpBinding being one of them.

The class defines an attribute named Security, which, according to this article, defaults to Transport.

This further article explains how Transport works:

The NetTcpBinding class uses TCP for message transport. Security for the transport mode is provided by implementing Transport Layer Security (TLS) over TCP. The TLS implementation is provided by the operating system.

This sounds to me as if, upon connecting with a WCF Service, the client would perform a TLS handshake. However, if I watch the traffic with Wireshark 3.2.3, the traffic is only recognized as “TCP”, with no TLS handshakes in sight. If there is a TLS handshake going on, shouldn’t Wireshark recognize it as such? Why does it only see generic “TCP Data”?