I am not seeing any decoded application data.
I am running wireshark 2.4 on the web server box, I have the private key in .pem format
I have the server private key listed in the RSA keys list
I have the port specified as start_tls and the protocol as http.
The traffic comes in on https://servername:4993
Is there anything else I need to specify in the rsa keys list or ???
asked 09 Oct '17, 13:03
The port number in the RSA keys dialog is actually ignored since Wireshark 2.2, at least for matching the private key file.
You probably run into a TLS session which uses a (EC)DHE cipher suite instead of one based on the RSA key exchange. Such sessions cannot be decrypted using the RSA private key file, look for the keylog file (SSLKEYLOGFILE) approach instead.
answered 14 Oct '17, 10:52
Presuming that the traffic is simply https on port 4993, try replacing the start_tls entry with 4993.
answered 10 Oct '17, 02:13