How to know if all the encrypted packets have been decrypted in Wireshark
I'm looking for a very advanced spyware on my home network infrastructure. The first thing I am trying to do is decrypt the traffic on port 443 with the well -known method. That is, taking advantage of the "sslkeyogfile" variable on Wireshark. I therefore used the key file to decrypt the traffic. My problem, however, is that once the keys file is entered I can't understand if all the packs passers -by for port 443 have been decripted. Is there a simple way to know? It is not important for me to specify the operating system because I use different systems and because WireShark should work identical on the various systems.
I don't see how this will help you with finding advanced spyware.
The only data that come out of my machine are on 443 and UDP: 123. If we exclude the NTP server the only one that remains is the browser. If I export the keys and then I use them to decrypt the browser traffic and a part of the traffic is not decrypted then it is most likely that the spyware has been injected into the browser executable or can be an ADDON. If using the keys I should be able to decrypt all the traffic but this does not happen then the thing is very suspicious. Already this, for me it is a big step forward because I further limited the PC area that I have to analyze. If the traffic is visible it means that the spyware is relatively on the surface. If, on the other hand, there is traffic that is not visible then we are talking ...(more)
This would be somewhat unusual. No ARP, no DNS? Windows systems, especially, can be chatty with other protocols including port 80 for http.
Yes, of course also DNS and ARP. And Irc, or imap and ping will be salt. But DNS is not encrypted nor ARP or Ping. 99% of the traffic is on 443.