 | 1 | initial version |
The decryption of a TLS stream will fail, regardless of version, if there is a gap in the TLS stream. So, if the initial handshake is missing no data will be decrypted.
If the gap is later in the stream then it will fail at that point. This may happen when the TCP preferences "Allow subdissector to reassemble TCP streams" or "Reassemble out-of-order segments" are not enabled.
If the detection trigger comes after the initial handshake then the only option is to capture continuously, using a ring buffer, and use the trigger to either stop the capture or extract the needed data. For example:
dumpcap -b filesize:102400 -b files:10 -w demo.pcapng -i <interface>
See dumpcap(1) Manual Page for all options for a ring buffer.