May 21, 2012 at 8:49 PM


I found problems with the certificate, once you download the certificate I can save it with a PEM or PFX, select the extension PFX but 'the certificate is saved in my desktop with extension CRT, and not with the 'extension PFX I had chosen. What 's the problem?

May 21, 2012 at 9:25 PM

So are you using the instructions in the NMDecrypt help to export the certificate?  If so, what version of the OS are you using?

May 21, 2012 at 9:42 PM

Windows Vista Home premium service pack 2

type system :  OS 32 bit

May 22, 2012 at 4:08 PM

When you are using the Certificate Export Wizard, on the Export File Format, are you selecting the radio button for "Personal Information Exchnage"?

May 22, 2012 at 5:47 PM

On the 'Certificate Export Wizard "can not select" Exchange of personal information-PKCS # 12 (*. PFX). "
How can I enable this option?

May 22, 2012 at 5:52 PM

Were you able to provide a password one the step before this one?  I think this is required.  I you can only export certain certificates this way, though I'm not familiar with all the details of why you might not be able to.  Did you create the cert that you are trying to export?


May 22, 2012 at 6:43 PM

Yes, but not in the format supported by NMdecript, it fails to complete the operation.

May 22, 2012 at 7:44 PM

I believe when you create the certificate, you need to indicate whether it's exportable or not.  Did you see this option when you created the certificate?

May 22, 2012 at 8:31 PM

Yes, but the extensions supported for export are as follows:
Select the format to use:

DER encoded binary X.509 (. CER)

Base-64 encoded X.509 (. CER)

Cryptographic Message Syntax Standard - PKCS Certificates # 7 (. P7b)

If possible, include all certificates in the certification path.

The following formats can not select

Personal Information Exchange - PKCS # 12 (*. PFX)

If possible, include all certificates in the certification path

Delete the private key if export is successful

Export all extended properties

Microsoft serialized certificate store (. SST)

All this and very strange because the format supported by Windows and just the PKCS # 12 (*. PFX).

You know what is the solution?

May 22, 2012 at 8:41 PM

I'm asking when you created the certificate, not now.  Maybe it's better if I ask where did this certificate come from?  Did you create it?

May 31, 2012 at 9:35 PM

Hello Paul

After many attempts I managed to create a certificate. Fixed a problem if it has another, I send you the log file, can you help?


- SSL Decryption Log -.-.-.-.-.-.-

Log Created On: 31/05/2012 16.58.05

NMDecrypt Version:
NMAPIs Initialized.
Initializing Netmon Parsers...
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\ProgramData\Microsoft\Network Monitor 3\NPL\NetworkMonitor Parsers\Profiles\FE3524BB-D1B3-41a4-BA6B-B05C3056B4D7\sparser.npb.
Netmon Parsers initialized successfully.
Adding SSLVersionSelector Display Filter...
Display Filter added successfully
Adding Conversation.IPv4.Id == 1966 Conversation Filter...
****Warning****: Using a non TCP Conversation Filter, Conversation.IPv4.Id == 1966, might cause the expert to fail.  You should use a filter at the TCP layer or higher.  A conversation filter at a higher level might work, say IPv4 or IPv6, but this depends on the traffic.  Under these conditions all traffic must use the same certificate and the traffic for each conversation must be sequential.
Conversation Filter, Conversation.IPv4.Id == 1966 added successfully
SSL Version Filter added successfully
Adding Conversation.IPv4.Id == 1966 Conversation Filter...
****Warning****: Using a non TCP Conversation Filter, Conversation.IPv4.Id == 1966, might cause the expert to fail.  You must use a filter at the TCP layer or higher.  A conversation filter at a higher level might work, say IPv4 or IPv6, but this depends on the traffic.  Under these conditions all traffic must use the same certificate and the traffic for each conversation must be sequential.
Eval Parser Conversation Filter, Conversation.IPv4.Id == 1966 added successfully
This Netmon Version is supported
****Warning***: We've tested with version: 03.04.2748.0001.  Your version is: 03.04.2774.0001 0000. This might cause problems if the TLS/SSL parsers have changed significantly.
Opening Encrypted Capture File: H:\Capture\unicredit.cap
Creating Decrypted Capture File: H:\Capture\decrip.cap
Proposing Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData
Using Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.
Changing Conversation ID from 18446744073709551615 to 1967
Entered IsTLSSLPayloadFragmented: Frame 74713

Processing Frame Number: 74713
Found 177 Fields in Frame
74713,0: Processing Field: Ethernet
   Value: Etype = Internet IP (IPv4),DestinationAddress:[1C-A0-20-00-02-00],SourceAddress:[03-00-02-00-00-00]
74713,1: Processing Field: Ethernet.DestinationAddress
   Value: 1CA020 000200 [1C-A0-20-00-02-00]
Repurposing Destination IP Address 1CA020 000200 [1C-A0-20-00-02-00]
74713,2: Processing Field: Ethernet.DestinationAddress.Rsv
   Value: (000111..)
74713,3: Processing Field: Ethernet.DestinationAddress.UL
   Value:  (......0.) Universally Administered Address
74713,4: Processing Field: Ethernet.DestinationAddress.IG
   Value:  (.......0) Individual address (unicast)
74713,5: Processing Field: Ethernet.SourceAddress
   Value: 030002 000000 [03-00-02-00-00-00]
Repurposing Source IP Address: 030002 000000 [03-00-02-00-00-00]
74713,6: Processing Field: Ethernet.SourceAddress.Rsv
   Value: (000000..)
74713,7: Processing Field: Ethernet.SourceAddress.UL
   Value:  (......1.) Locally Administered Address
74713,8: Processing Field: Ethernet.SourceAddress.IG
   Value:  (.......1) Group address (multicast)
74713,9: Processing Field: Ethernet.EthernetType
   Value: Internet IP (IPv4), 2048(0x800)
74713,10: Processing Field: Ethernet.Ipv4
   Value: Src =, Dest =, Next Protocol = TCP, Packet ID = 11352, Total IP Length = 241
74713,11: Processing Field: Ethernet.Ipv4.Versions
   Value: IPv4, Internet Protocol; Header Length = 20
74713,12: Processing Field: Ethernet.Ipv4.Versions.Version
   Value:      (0100....) IPv4, Internet Protocol
74713,13: Processing Field: Ethernet.Ipv4.Versions.HeaderLength
   Value: (....0101) 20 bytes (0x5)
74713,14: Processing Field: Ethernet.Ipv4.DifferentiatedServicesField
   Value: DSCP: 0, ECN: 0
74713,15: Processing Field: Ethernet.Ipv4.DifferentiatedServicesField.DSCP
   Value: (000000..) Differentiated services codepoint 0
74713,16: Processing Field: Ethernet.Ipv4.DifferentiatedServicesField.ECT
   Value:  (......0.) ECN-Capable Transport not set
74713,17: Processing Field: Ethernet.Ipv4.DifferentiatedServicesField.CE
   Value:   (.......0) ECN-CE not set
74713,18: Processing Field: Ethernet.Ipv4.TotalLength
   Value: 241 (0xF1)
74713,19: Processing Field: Ethernet.Ipv4.Identification
   Value: 11352 (0x2C58)
74713,20: Processing Field: Ethernet.Ipv4.FragmentFlags
   Value: 16384 (0x4000)
74713,21: Processing Field: Ethernet.Ipv4.FragmentFlags.Reserved
   Value: (0...............)
74713,22: Processing Field: Ethernet.Ipv4.FragmentFlags.DF
   Value:       (.1..............) Do not fragment
74713,23: Processing Field: Ethernet.Ipv4.FragmentFlags.MF
   Value:       (..0.............) This is the last fragment
74713,24: Processing Field: Ethernet.Ipv4.FragmentFlags.Offset
   Value:   (...0000000000000) 0
74713,25: Processing Field: Ethernet.Ipv4.TimeToLive
   Value: 128 (0x80)
74713,26: Processing Field: Ethernet.Ipv4.NextProtocol
   Value: TCP, 6(0x6)
74713,27: Processing Field: Ethernet.Ipv4.Checksum
   Value: 38712 (0x9738)
74713,28: Processing Field: Ethernet.Ipv4.SourceAddress
Repurposing Source IP Address:
74713,29: Processing Field: Ethernet.Ipv4.DestinationAddress
Repurposing Destination IP Address
74713,30: Processing Field: Ethernet.Ipv4.Options
74713,31: Processing Field: Ethernet.Ipv4.Tcp
   Value: Flags=...AP..., SrcPort=4645, DstPort=HTTPS(443), PayloadLen=201, Seq=2821038033 - 2821038234, Ack=208317286, Win=4140 (scale factor 0x2) = 16560
74713,32: Processing Field: Ethernet.Ipv4.Tcp.SrcPort
   Value: 4645
Using Source Port: 4645
74713,33: Processing Field: Ethernet.Ipv4.Tcp.DstPort
   Value: HTTPS(443)
Using Destination Port: 443
74713,34: Processing Field: Ethernet.Ipv4.Tcp.SequenceNumber
   Value: 2821038033 (0xA8259FD1)
74713,35: Processing Field: Ethernet.Ipv4.Tcp.AcknowledgementNumber
   Value: 208317286 (0xC6AAB66)
74713,36: Processing Field: Ethernet.Ipv4.Tcp.DataOffset
   Value: 80 (0x50)
74713,37: Processing Field: Ethernet.Ipv4.Tcp.DataOffset.DataOffset
   Value: (0101....) 20 bytes
74713,38: Processing Field: Ethernet.Ipv4.Tcp.DataOffset.Reserved
   Value:   (....000.)
74713,39: Processing Field: Ethernet.Ipv4.Tcp.DataOffset.NS
   Value:         (.......0) Nonce Sum not significant
74713,40: Processing Field: Ethernet.Ipv4.Tcp.Flags
   Value: ...AP...
74713,41: Processing Field: Ethernet.Ipv4.Tcp.Flags.CWR
   Value:    (0.......) CWR not significant
74713,42: Processing Field: Ethernet.Ipv4.Tcp.Flags.ECE
   Value:    (.0......) ECN-Echo not significant
74713,43: Processing Field: Ethernet.Ipv4.Tcp.Flags.Urgent
   Value: (..0.....) Not Urgent Data
74713,44: Processing Field: Ethernet.Ipv4.Tcp.Flags.Ack
   Value:    (...1....) Acknowledgement field significant
74713,45: Processing Field: Ethernet.Ipv4.Tcp.Flags.Push
   Value:   (....1...) Push Function
74713,46: Processing Field: Ethernet.Ipv4.Tcp.Flags.Reset
   Value:  (.....0..) No Reset
74713,47: Processing Field: Ethernet.Ipv4.Tcp.Flags.Syn
   Value:    (......0.) Not Synchronize sequence numbers
74713,48: Processing Field: Ethernet.Ipv4.Tcp.Flags.Fin
   Value:    (.......0) Not End of data
74713,49: Processing Field: Ethernet.Ipv4.Tcp.Window
   Value: 4140 (scale factor 0x2) = 16560
74713,50: Processing Field: Ethernet.Ipv4.Tcp.Checksum
   Value: 0xE22, Good
74713,51: Processing Field: Ethernet.Ipv4.Tcp.UrgentPointer
   Value: 0 (0x0)
74713,52: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload
   Value: SourcePort = 4645, DestinationPort = 443
74713,53: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData
   Value: Transport Layer Security (TLS) Payload Data
74713,54: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS
   Value: TLS Rec Layer-1 HandShake: Client Hello.
74713,55: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer
74713,56: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer
   Value: TLS Rec Layer-1 HandShake:
74713,57: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ContentType
   Value: HandShake:
Found Content Type: 22 (Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.ContentType)
74713,58: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version
   Value: TLS 1.0
74713,59: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Major
   Value: 3 (0x3)
74713,60: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Minor
   Value: 1 (0x1)
74713,61: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Length
   Value: 196 (0xC4)
74713,62: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake
   Value: SSL HandShake ClientHello(0x01)
74713,63: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake
74713,64: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType
   Value: ClientHello(0x01)
Found Handshake Message 1 (Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType)
Found Client Hello Message
74713,65: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.Length
   Value: 192 (0xC0)
74713,66: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello
   Value: TLS 1.0
74713,67: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.Version
   Value: TLS 1.0
74713,68: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.Version.Major
   Value: 3 (0x3)
74713,69: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.Version.Minor
   Value: 1 (0x1)
74713,70: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.RandomBytes
   Value: Binary Large Object (28 Bytes)
74713,71: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.RandomBytes.TimeStamp
   Value: 04/22/2012, 17:15:33 .0000 UTC
Found Next Filter for Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.RandomBytes.TimeStamp
Processing Client Hello
74713,72: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.RandomBytes.RandomBytes
   Value: Binary Large Object (28 Bytes)
Found Next Filter for Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.RandomBytes.RandomBytes
Processing Client Hello

Client Random Number:
     00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
0000 4F 94 3C B5 DB FE CA 51 49 FA 2F DD A6 BA AE FD 3F 53 A2 1B F8 B1 31 DC CA 1D 22 2B D9 ED 5B FE O.<µÛþÊQIú/ݦº®ý?S¢.ø±1ÜÊ."+Ùí[þ

74713,73: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.SessionIDLength
   Value: 32 (0x20)
Warning: Session ID Length != 0, we can't decrypt sessions with multiple different reused keys.If the ServerHello Session ID doens't match the last encountered ClientHello Session ID the decryption will fail.
74713,74: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.SessionID
   Value: Binary Large Object (32 Bytes)
Found Client Session IDs 32 (Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.SessionID)
Added Client Session ID: 122
Added Client Session ID: 165
Added Client Session ID: 8
Added Client Session ID: 12
Added Client Session ID: 195
Added Client Session ID: 125
Added Client Session ID: 136
Added Client Session ID: 4
Added Client Session ID: 200
Added Client Session ID: 200
Added Client Session ID: 97
Added Client Session ID: 26
Added Client Session ID: 12
Added Client Session ID: 2
Added Client Session ID: 123
Added Client Session ID: 7
Added Client Session ID: 41
Added Client Session ID: 161
Added Client Session ID: 118
Added Client Session ID: 209
Added Client Session ID: 158
Added Client Session ID: 77
Added Client Session ID: 139
Added Client Session ID: 82
Added Client Session ID: 124
Added Client Session ID: 182
Added Client Session ID: 93
Added Client Session ID: 134
Added Client Session ID: 199
Added Client Session ID: 214
Added Client Session ID: 210
Added Client Session ID: 176
Session ID Length != 0 and there is no previous full TLS/SSL session setup.  We can't decrypt traces without at least one full session setup. 
EXCEPTION: ClientHello contains a Reused Session ID and the intial session setup is missing.  Session ID Length in the first ClientHello must be zero.  You can try to restart the application that is generating the secure connection or narrow down the trace so it contains only one Session ID.

-.-.-.-.-.-.- SSL Decryption Log Ends-.-.-.-.-.-.-

May 31, 2012 at 9:56 PM

The message at the end indicates that the session it was processing is resued.  This means it negotiated previously and is now reusing the ID.  Under these conditions, we cannot decrypt the trace.  You should try restarting the client to make sure a new session is negotiated.

BTW, you should start by decrypting a single TCP conversation first. Decrypting an IP conversation could have certain issues.  This blog discusses these complexities.



Jun 4, 2012 at 5:31 PM

Hello Paul

Thank you for helping

In the registry I noticed the absence of AES 256 in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Ciphers, how can I add?

Thank ,



Jun 4, 2012 at 6:11 PM

I'm not sure I can help with that registry entry.  This has nothing to do with Network Monitor and I don't have any information on what that registry entry is or how it works.  But I would not recommend changing the registry directly.


Jun 4, 2012 at 10:12 PM