This is a static archive of our old Q&A Site. Please post any new questions and answers at

SSL/TLS decrypt doesn’t work if capture started mid-session


I think I have SSL/TLS decryption properly-configured: as long as I start capturing before my SSL/TLS session starts, then I see the HTTP messages pulled out of the TLSv1 packets. However, if I start a capture in the middle of an SSL/TLS session, I see nothing besides TLSv1 or TCP packets.

I don't remember having this limitation last time I tried capturing and decoding SSL or TLS (over a year ago), and I cannot find evidence that it should be this way.

I have the private certificate for the server I am talking to, and in the Wireshark: Capture Options dialog, I have a capture filter limiting to only the IPv4 of the host I want to monitor.

The client is Chrome 34, and the server is Windows Server 2012 (pre-R2). I have a Citrix Netscaler device in front of the server. I am using Wireshark 1.10.7 on Windows 8.1 x64.

asked 29 Apr '14, 09:25

Aren%20Cambre's gravatar image

Aren Cambre
accept rate: 0%

One Answer:


You need the TLS handshake with the key exchange in the capture file to be able to decrypt the traffic.


answered 29 Apr '14, 13:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%