Running Wireshark 3.4.3
I have been looking at WSS traffic. WSS uses TLS for encryption. I can decrypt
by collecting the pre-master secret data as described in various howtos.
A peculiarity of websocket is that he client to server data is XOR'd with a
mask prior to encrypting. To view the data it must first be decrypted and then
unmasked. In my initial session I was pleased to see three tabs at the bottom
of the window. ( raw, decrypted and unmasked ).
Now the problem is that in subsequent sessions the unmask tab no longer
appears. I don't know what I did differently initially to get the tab. I cannot
find a configuration option that would enable this behaviour.
Decryption is useless without unmasking. Wireshark does not list WS or WSS in
the list of protocols. However unmasking exists somewhere. I saw it initially.
