Hi,
I’ve setup tshark to do a nightly capture and include
ssl traffic. The decryption is working great. The problem
I have is I’m keeping files to a 50mb size so the
files are manageable in wireshark to view and filter. The captures
Can be several hundred mb. The decryption works great in
the 1st capture file from the ring buffer where the
Ssl.handshake info exists, but the subsequent files from the
ring buffer don’t have that information in it of course,
And consequently wireshark does not then decrypt the
subsequent files.
Is there an eloquent way to handle this?
Thanks,
John