OSQA is unmaintained. Help us figure out where to go from here.

I think I have SSL/TLS decryption properly-configured: as long as I start capturing before my SSL/TLS session starts, then I see the HTTP messages pulled out of the TLSv1 packets. However, if I start a capture in the middle of an SSL/TLS session, I see nothing besides TLSv1 or TCP packets.

I don't remember having this limitation last time I tried capturing and decoding SSL or TLS (over a year ago), and I cannot find evidence that it should be this way.

I have the private certificate for the server I am talking to, and in the Wireshark: Capture Options dialog, I have a capture filter limiting to only the IPv4 of the host I want to monitor.

The client is Chrome 34, and the server is Windows Server 2012 (pre-R2). I have a Citrix Netscaler device in front of the server. I am using Wireshark 1.10.7 on Windows 8.1 x64.

asked 29 Apr '14, 09:25

Aren%20Cambre's gravatar image

Aren Cambre
31115
accept rate: 0%


You need the TLS handshake with the key exchange in the capture file to be able to decrypt the traffic.

Regards
Kurt

permanent link

answered 29 Apr '14, 13:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.7k1037236
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×316
×162
×73
×56

question asked: 29 Apr '14, 09:25

question was seen: 1,917 times

last updated: 29 Apr '14, 13:45

p​o​w​e​r​e​d by O​S​Q​A