# Can Wireshark decrypt Windows RMI packets?

I am looking at a trace file with Windows RMI packets (HTTP on TCP port 5985). The client authenticates with an NTLMv2 hash. Clients usually connect to the service with one of two tools:

• The Windows Management Instrumentation Client, wmic.exe
• Powershell, using the switch -ComputerName

Github has a nice Python script to decrypt the traffic. The script extracts WMI messages from a trace file and decodes them, as long as the trace holds only a single TCP connection.

Is anybody aware of a similar function in Wireshark?

And yes, I do have a trace file including the required password. Is https://wiki.wireshark.org/SampleCapt... still a good place to upload trace files?

edit retag close merge delete

You might be able to see the decrypted data if you capture via an ETW file, e.g. using netsh trace or the new MS tool PacketMon.