I think I have SSL/TLS decryption properly-configured: as long as I start capturing before my SSL/TLS session starts, then I see the HTTP messages pulled out of the TLSv1 packets. However, if I start a capture in the middle of an SSL/TLS session, I see nothing besides TLSv1 or TCP packets.
I don't remember having this limitation last time I tried capturing and decoding SSL or TLS (over a year ago), and I cannot find evidence that it should be this way.
I have the private certificate for the server I am talking to, and in the Wireshark: Capture Options dialog, I have a capture filter limiting to only the IPv4 of the host I want to monitor.
The client is Chrome 34, and the server is Windows Server 2012 (pre-R2). I have a Citrix Netscaler device in front of the server. I am using Wireshark 1.10.7 on Windows 8.1 x64.
asked 29 Apr '14, 09:25
You need the TLS handshake with the key exchange in the capture file to be able to decrypt the traffic.
answered 29 Apr '14, 13:45
Kurt Knochner ♦