Decrypt TLS - TLS1.2 seen as TCP ?
Hello Guys,
I'm facing an issue with wireshark and the TLS decryption. I have an old trace (november) from a user and his SSLKEYLOFGILE. This trace is decrypted by wireshark.
Recently, I needed to do it again but this time wireshark doesn't decrypt the TLS stream.
Source of both traces is the same user (same browser and same URL).
In the new trace the TLS 1.2 is displayed as TCP (not sure if it's the issue) but at this point I'm unable to decrypt the traffic.
I upgraded to the latest version 3.4.2 (in case of) but still the same issue.
I absolutly need to read this file (problem occurs rarely and we doesn't know how to generate the issue) so I don't have much traces :/
Can you help me?
Thanks a lot
Herve Jacquemin
3.6.1 is the latest stable version of Wireshark. Is the traffic on TCP port 443? Have you tried creating a new profile in Wireshark to eliminate config settings?
You could share the capture on a public share and link back to it here so we can check why it's not being dissected as TLS, even if we can't decrypt it.
You'll find the trace here (link valid 1 week).
I just upgraded again to 3.6.1 but still the same. I don't use profile, I use default settings.
Yes it's on port 443.
It's wierd as old trace are good and not the last one.
Thanks for your help