This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dumpcap and decryption

0

Does anyone know how to setup dumpcap to decrypt packets in monitor mode? Or, should it be used with the -I option, save the captured packets and decrypt them in Wireshark GUI? WS can be quite memory intensive though, so it might not like the large packet file.

Thanks

asked 12 Aug '15, 22:29

mun's gravatar image

mun
16448
accept rate: 0%


2 Answers:

0

dumpcap is just a tool to record packets from a network card (or other communication port) to disk. It has no additional processing logic, so no, you cannot decrypt packets with dumpcap. Decrypting needs to be performed by Wireshark.

If your files are too large you might want to split them in smaller files, either during capture (multi file capture) or using editcap with the "-c" parameter later. There may be problems with decrypting packets though if the session setup is in a different file than the rest of the conversation, so reconstructing those may require merging them first.

answered 13 Aug '15, 00:12

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

answered 13 Aug '15, 00:36

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Gah, didn't read question properly about using dumpcap. As @Jasper says, need to use Wireshark or tshark is as per my link.

(13 Aug '15, 03:46) grahamb ♦