ssl.handshake and ring buffer capture

["John Modlin" <jmodlin () kyloc com>]

Hi,

 

I've setup tshark to do a nightly capture and include ssl traffic.  The
decryption is working great.  The problem

I have is I'm keeping files to a 50mb size so the files are manageable in
wireshark to view and filter.  The captures

Can be several hundred mb.  The decryption works great in the 1st capture
file from the ring buffer where the 

Ssl.handshake info exists, but the subsequent files from the ring buffer
don't have that information in it of course,

And consequently wireshark does not then decrypt the subsequent files.  

Is there an eloquent way to handle this?

 

Thanks,

John

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe