Handshake: Client Hello SSL 3.0, resume session
followed by the same letter number combination --> S
This means that the tcpdump file does not contain the packets that were exchanged when the Session was originally negotiated.
The master secrets are computed only during the initial session negotiation. They are simply reused when a session is resumed. Unsniff cant track the sessions if it misses the original \"client hello : prefer cipher ...\" message.
Usually there is a timer that controls how long a session stays around in the server. For apache using mod_ssl the timer is usually set at 300 secs (5 mins)
see the SSLSessionCacheTimeout parameter
To ensure that you capture the initial session negotiation, stop the client application for about 5-10 mins (or longer depending on your server configuration). Then start tcpdump / Wireshark / Unsniff to capture the packets.