| CPC H04L 9/0637 (2013.01) [H04L 9/065 (2013.01)] | 20 Claims |
|
1. A method for monitoring network traffic in a network using one or more processors that are configured to execute instructions, wherein the execution of the instructions causes performance of actions, comprising:
monitoring a capture flow that includes network traffic for a plurality of records that are encrypted and captured from one or more network flows, wherein the captured network traffic is decrypted for analysis based on an encryption protocol and one or more previously captured records that were decrypted and identified as a candidate key block;
determining a hole in the capture flow based on one or more of gaps in one or more portions of the captured network traffic, wherein the hole disables the monitoring of the capture flow and the decryption of the captured network traffic;
determining a size of the hole based on a size of the or more gaps in the one or more portions of the captured network traffic;
capturing one or more other portions of the captured network traffic that is encrypted from the capture flow and subsequent to the hole;
iteratively determining one or more cipher resynchronization parameters that include one or more candidate sequence numbers that are validated for decryption of one or more records subsequent to the one or more gaps for the one or more other portions of the captured network traffic, wherein the determination is based on the size of the hole, one or more other portions of the captured network traffic, a last sequence number for one or more decrypted records prior to the one or more gaps, and the encryption protocol, and
decrypting the one or more other portions of the captured network traffic based on the one or more cipher resynchronization parameters, wherein the monitoring of the capture flow is re-enabled after the hole.
|