Decrypting very large TLS captures
I'm in a situation where I have some large (~20GB) captures from a set of long-running TLS connections, but I really only care about the last few MB of the capture file.
Loading a capture file this large typically causes the program to crash (out of memory), even when trying to just export the PDUs directly via tshark to a file using the following command template:
tshark -r <pcapng_file> -o "tls.keylog_file:<keylog_file>" -U "OSI layer 7" -w output.pcapng
My understanding is that tshark/Wireshark can only decrypt TLS connections if it has both the appropriate secrets and the full contiguous data capture between the TLS connection negotiation and the end of the capture.
The capture itself is filtered to only contain the TLS traffic, so there's not much I can remove from the trace prior to conversion.
Is there anything that I can do to get the decrypted PDUs from the end of the file in this situation (outside of increasing my swap partition and crossing my fingers)? Thanks!
What happens if you use the '-M' option with this command? Does TLS decryption continue?
It may help to reduce the memory usage by disabling the protocol used on top of TLS. For example in case of HTTP add the option:
--disable-protocol http,http2,http3