Ask Your Question

Revision history [back]

TLS decryption fails after packet losses induced by tc netem on lo

Dear Wireshark community,

I am currently using Wireshark/Tshark for protocol evaluation under different network conditions. I have succesfully been able to decrypt HTTP/2 traffic over TLS1.3/TCP by providing Wireshark the Pre-Master TLS keys dumped by the nghttp client.

Both server and client are running on the loopback interface and I am capturing the traffic using tcpdump on that interface. To emulate network different network conditions, I have used netem to add delay to the loopback interface and loss to add packet loss.

The decryption has been working fine until I start adding packet loss. What happens then is that Wireshark is sometimes unable to decrypt packets that follows the TCP Expert Info Warning: Previous segment(s) not captured (common at capture start). I read somewhere that when TCP segments get lost and reordered, it is possible that it breaks the TLS decryption. However, the client receives and decrypts the responses to every request without any problem.

Therefore, I wonder if there is some setting in Wireshark that would enable the TLS decryption to work even under packet losses. ("Allow subdissector to reassemble TCP streams" and "Reassemble out-of-order segments" are already enabled).