This is our old Q&A Site. Please post any new questions and answers at

Hi All,

I have a problem when time to time wireshark decrypted only partial sip flow. And sometimes decrypted full flow. Such change in decryption happens randomly and I need to know what is wrong when wireshark can't decrypt full flow. For example on following capture sip session (call) started from 4418 packet - on this packet Originator sent INVITE to SIP PROXY but INVITE from SIP PROXY to Terminator wasn't decrypted. Another marked packet on this capture 2411 on which you can that messages from Terminator was decrypted successfully 15 seconds ago. alt text [link to picture]2

On the same capture I'm changed display filter to SSL and see that actually packets was captured but not decrypted:

alt text [link to picture]4

Packets 4423 and 4424 weren't decrypted. From SSL debug log:

  dissect_ssl enter frame #4423 (first time)
  conversation = 05EFD918, ssl_session = 05EFDE18
  record: offset = 0, reported_length_remaining = 1448
  need_desegmentation: offset = 0, reported_length_remaining = 1448

Can anybody suggest how to deal with this the problem? I'm using wireshark Version 1.10.3. Capturing with following tshark command:

C:\Program Files (x86)/Wireshark/tshark.exe -l -i 1 -w capture_eth1.pcap -a filesize:15000

Of course private key from certificate was imported to wireshark via wireshark GUI.

asked 30 Nov '13, 15:02

m2a0x's gravatar image

accept rate: 0%

edited 30 Nov '13, 15:27

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Nov '13, 15:02

question was seen: 1,869 times

last updated: 30 Nov '13, 15:27

p​o​w​e​r​e​d by O​S​Q​A