Expected speed of decryption?

Mar 23, 2012 at 2:57 PM

I have a question about the speed of decrypting.  I'm seeing "NmDecrypt" decrypt about 20 TLS/SSL packets per minute.  Given that I have a trace of about 4700 encrypted packets, the decryption takes about four hours.  This trace represents about 100 seconds of wall-clock time and the two machines on either end of the TCP connection are  keeping up with encryption/decryption, so the four hours seems very slow to me.  Is there something I could do to speed up the decryption?  (I'm a beginner with this software, so I could be missing something obvious.)

I'm using:

  • Network Monitor 3.4.2350 (dated 24 June 2010)
  • the open-source parser package, version 3.4.2774.0001 (dated 19 Dec 2011)
  • NmDecrypt 2.3.3 (dated 26 October 2011)

to decrypt TLS/SSL traffic.


My hardware and system software is:

  • AMD Athlon 64 X2 Dual Core Processor 4000+ at 2.10 GHz
  • 3.0 GB RAM
  • 64-bit Windows 7 Home Premium with Service Pack 1

Thanks in advance for any insight that you might have,

-- Steve Ross

Mar 23, 2012 at 3:38 PM

Decrypting can be a slow process, but that seems exceeding slow.  In my experience it's never taken more than 5 minutes to decrypt anything I've tried.  The most recent case I did was for a 800 frame trace.  So perhaps something is wrong.

Any chance you could share the trace and cert with me on SkyDrive or some other file sharing service?  I think you might also be ableto attach to an Issue, but that would be a very public option.


Mar 23, 2012 at 4:32 PM


Thanks for your quick reply. 

Regarding providing a trace plus the certificate, I've asked around and that may be a bit difficult.  Is there any thing you could suggest that I could try locally first?


-- Steve Ross

Mar 26, 2012 at 1:48 PM

I was going to see if I saw any performance differences with your trace.  I suppose I'm uncertain of the difference between your machine an mine, so it's hard to say if there's a problem or if this is normal.  I suppose you could download the Visual Studio project and profile NMDecrypt to see if there's any paritcular place that is slowing down.  BTW, you'll want to use the default parser profile when you run the expert as this will give you better performance.  You can select this in the UI before running the expert.


Mar 26, 2012 at 3:41 PM

Hi Paul,

Earlier last week, I did try tweaking the settings in NetMon to see if it would increase the decryption speed of NmDecrypt.

1) I experimented with NetMon's "NetMonitor Parsers"  setting, but I found that NmDecrypt could not decrypt the parsed file (it reported the error of "SSL frames are not found in the current capture file") when the NetMon parsing setting was "Default".  Instead, the parsing setting needed to be "Windows" to (apparently) drill down deeper into my Remote Desktop Protocol (RDP) packets encrypted by TLS/SSL.  (If it makes any difference, in its "RDP-Tcp Properties" window, I set my RDP server to have a "Security layer" of "SSL (TLS 1.0)" and an "Encryption level" of "Client Compatible".)

2) I compared the decryption speed both when creating a decryption log file and not creating one in NmDecrypt.  I found that this did not make an appreciable difference in the speed of NmDecrypt's decryption.

At this point, I've got the decrypted traces that I need (although I'll undoubtedly need to decrypt more traces in the future) so it is not a priority issue for me.  If you have any other suggestions, I'd be glad to try them.  If not, thanks for your help.  (And I'm sorry that I'm not allowed to forward one of the traces to you.)

-- Steve Ross

Mar 28, 2012 at 6:28 PM

Here's one counter intuitive observation.

For new captured traces, I still see a decryption rate of about 20 packets per minute.  On my dual core processor, the average CPU load for both CPUs is about 52%.  However, if I run  two decryption processes simultaneously, both decrypt at roughly 60 packets per minute!  For two decryptions at once, both CPUs are busy 100% of the time.

I don't understand how adding a 2nd NmDecrypt speeds up the first one.

Mar 29, 2012 at 2:21 PM

Yes, that is completly counter intuitive.  I'm not sure why that could have any effect.  I wonder if there's some other factor, like antivirus software, or some other 3rd party.  This is the first complaint of this type that I've heard and I know, from all the email I get, that it has some heavy usage.  However, we haven't done any kind of format performance tests.