Decryption Expert Error: No Frames were decrypted

Feb 21, 2012 at 12:17 AM

I'm trying to decrypt a SSL trace captured using Netmon.

Netmon parser version is 3.4.2350.0 and NMDecrypt version is 2.3.3

---------------------------
Decryption Expert: Error
---------------------------
No Frames were decrypted, Netmon Filter Set may not match with current parser version.  Use parser version 3.4.2345.1 or greater.
---------------------------
OK  
---------------------------

ANy help would be appreciated

Feb 21, 2012 at 2:24 PM

If you run Network Monitor, can you see the TLS/SSL traffic in the trace you are trying to decrypt?  What parser profile do you have selected?  And how did you run the expert, did you select a TCP convesration in the conversation tree before launching the expert?

Thanks,

Paul

Feb 21, 2012 at 5:38 PM
Hi Paul,
Thanks for replying. Yes I can see the SSL handshake without any errors. I didn’t select a TCP conversation before launching, if I did that, it wouldn’t save any frames.
I selected all traffic and then selected the nmdecrypt expert.
The default parser profile for netmon is selected.
Regards,
Kaushal
From: [email removed]
Sent: Tuesday, February 21, 2012 7:54 PM
To: [email removed]
Subject: Re: Decryption Expert Error: No Frames were decrypted [nmdecrypt:333230]

From: PaulLong

If you run Network Monitor, can you see the TLS/SSL traffic in the trace you are trying to decrypt? What parser profile do you have selected? And how did you run the expert, did you select a TCP convesration in the conversation tree before launching the expert?

Thanks,

Paul

Feb 21, 2012 at 5:45 PM

There is a bug with the current version where if you don't select a conversation, it doesn't try to decrypt anything.  However, in most cases this won't work anyways due to how the expert works.  To start, select a single TCP conversation that has a full SSL conversation. 

I'm going to respond to your email posted from the blog instead, as I think we'll need to pass some files back and forth.  Expect a response in your inbox.

Paul