Ask Your Question

Revision history [back]

I have now been able to locate the issue by fiddling with the different TCP protocol option settings under Edit -> Preferences -> Protocols -> TCP.

It turns out that when the option "Analyze TCP sequence numbers" is checked, the payload of TCP segments marked with Expert Info Warning Previous segment(s) not captured are not decrypted. However, when unchecking this option, those packets are decrypted. The complete TCP settings to have everything working looks like this:

  • CHECK Show TCP summary in protocol tree
  • UNCHECK Validate the TCP checksum if possible
  • CHECK Allow subdissector to reassemble TCP streams
  • CHECK Reassemble out-of-order segments
  • UNCHECK Analyze TCP sequence numbers
  • UNCHECK Relative sequence numbers
  • UNCHECK Track number of bytes in flight
  • UNCHECK Calculate conversation timestamps
  • UNCHECK Try heuristic sub-dissectors first
  • UNCHECK Ignore TCP Timestamps in summary
  • UNCHECK Do not call subdissectors for error packets
  • CHECK TCP Experimental Options with a Magic Number
  • UNCHECK Display process information via IPFIX

Hope this can help someone else struggling with partial TLS decryption!