[Jaap Keuter <jaap.keuter@xxxxxxxxx>]

Hi,

In fact this is happening with every action which triggers a redissection of the packets. For instance, changing a dissector preference would do the same.

As you may know, using the menu option View | Reload as File Format/Capture allows you to see the packet blocks as well as the decryption secrets blocks. These would have to be matched against each other to see if decryption keys are available in time during first pass loading of the capture file.

Thanks,

Jaap

On 11/13/23 21:55, Peschel Frank via Wireshark-users wrote:

Hello,

 

some machines from A10Networks support packet capturing to pcapng including the tls session secrets with their “axdebug capture” commands.

 

In contrast to injecting the key material afterwards for example from an sslkeylogfile the key material is scattered all over the file.

I guess that is the reason why decryption only works fine for me after reloading LUA ([Ctrl]-[Shift]-L).

I used Wireshark 4.0.10 x64 on Windows 10 and 11 .

 

Before pressing [Ctrl]-[Shift]-L :

 

AFTER pressing [Ctrl]-[Shift]-L :

 

You may have a look at the attached file.

Looking forward to hearing from you.

Freundliche Grüße / Best regards

Frank Peschel
Informationssicherheitsbeauftragter
IT Management

Management Services Helwig Schmitt GmbH
Garnisonstr. 12, 34369 Hofgeismar, Germany
Tel: +49-5671-5085-852
www.manserv.com

Commercial register: Amtsgericht Kassel HRB 9217
Registered office: Hofgeismar
Managing Director: Andreas Schmitt
Data protection information