I am getting the following errors when importing a tcpdump file:
[TLS] Cannot find SessionID being resumed, cant decrypt
{TLS] Will wait to see if any matching SIDs show up

Any help would be appreciated. Thanks!!

Hi,

TLS (and SSL) supports Session ID reuse across consecutive or parallel TCP connections between two endpoints.

If your tcpdump file does not contain the packets where the TLS session was successfully negotiated - Unsniff will not be able to perform decryption.

To see if your file has the original TCP session where the Session ID was negotiated, do the following :

1. Switch to the PDU Sheet (click on the PDU tab)
2. Search for "Handshake : Client Hello prefer cipher.." packets
3. See if the next "Handshake : Server Hello.." packet has the Session ID that was resumed.

Hope this helps, If not reply back here.

Best regards,
Vivek Rajan
Unleash Networks

Thanks for the quick response - your awesome!

When I look on the pdu tab - I see:
Handshake: Client Hello SSL 3.0, resume session
followed by the same letter number combination --> S

Handshake: Client Hello SSL 3.0, resume session

followed by the same letter number combination --> S

This means that the tcpdump file does not contain the packets that were exchanged when the Session was originally negotiated.

The master secrets are computed only during the initial session negotiation. They are simply reused when a session is resumed. Unsniff cant track the sessions if it misses the original "client hello : prefer cipher ..." message.

Usually there is a timer that controls how long a session stays around in the server. For apache using mod_ssl the timer is usually set at 300 secs (5 mins) see the SSLSessionCacheTimeout parameter

To ensure that you capture the initial session negotiation, stop the client application for about 5-10 mins (or longer depending on your server configuration). Then start tcpdump / Wireshark / Unsniff to capture the packets.