Can't find log files for Wireshark.
I have a tcpdump from server that Decode As TLS doesn't work.
I've successfully decoded dumps from the same server recently.
No idea why this fresh dump doesn't decode.
I was able to decrypt one that included the KeyExchange packet.
This appears to be mentioned, at least for decryption using an RSA private key, in the "TLS decryption" section of the TLS page of the Wireshark Wiki:
The RSA private key file can only be used in the following circumstances:
...
- The session has not been resumed. The handshake must include the ClientKeyExchange handshake message.
Asked: Oct 13 '0
Seen: 772 times
Last updated: Oct 14 '20
What steps have you taken to decde it? TLS decryption does not work statically. If you could decode last months and not done the proper steps again you can't decode fromthe same server now in most cases.
To what log files are you referring?
Local WireShark log file on PC, trying to determine why WireShark doesn't decode the new dump taken from a server.
I think I'm doing the right steps to decode, nothing has changed but when I right click to decode new trace nothing happens.
Might be that my dump doesn't seem to have the ClientKeyExchange packet, I'll try again.
Wireshark doesn't have a log file to which it writes errors. It should be reporting all errors directly to the user, either as dialog boxes or as indications in the display of packet details. For some failures it doesn't report a reason for the failure when it should - for example, IEEE 802.11 decryption can fail with no indication why it failed`; all the user sees is that the 802.11 payload isn't decrypted and dissected.