Use Network Monitor to Capture and Decrypt Lync TLS Traffic

Use Network Monitor to Capture and Decrypt Lync TLS Traffic

Use Network Monitor to capture and decrypt Lync TLS traffic

Network monitor can be run on either Lync server or user’s computer, this guide below is for Netmon installed on Lync server

  1. Install Network Monitor
  1. Follow step below to install and configure Lync parser for Network Monitor

  1. Capture the traffics
  1. Start capturing traffic by clicking on New Capture then click Start

Note: to capture the traffic properly, it’s recommended to restart the Lync service first.

  1. Once the capture has completed, click Stop.
  1. Save the capture to local hard disk

  1. Decrypt the traffics
  1. Filter the TLS traffics by type in TLS in the Display Filter box and click Apply

  1. Since the capture is done on Lync server, the result might include connections from multiple clients to server; a filter can be customized further to narrow down the number of packet to be analyzed for the specific problematic client.
  1. Filter by IP address:
  1. Filter by Sessions (Conversation ID)

Conversation ID of the sessions can be seen at the Conv ID column

Once the traffics have been filtered accordingly, save another copy of it to different location (make sure to select Displayed frames)

  1. To decrypt TLS information, we will need to have the certificate that the server used to encrypt it. The certificate serial number can be found on the frame TLS:TLSRec Layer-1 HandShake: Server Hello. Certificate. Certificate Request. Server HelloDone.

Look at the Frame Details box at the bottom left corner, expand TLSTlsRecordLayerSSLHandshakeCert:0x1

Expand the cert, find and write down the SerialNumber information of the certificate.

  1. On FrontEnd server, open Certificate MMC and select Computer AccountLocal Computer

Expand Personal Certificates; find the certificate that has serial number matched with the one from traffic captured

Export the cert together with the private key in PFX format

  1. From Netmon, launch Decryption Expert

Select the certificate, key in the password and select the output for log as well as decrypted capture and then click Start

Once the decrypt process has completed, Netmon will open the output file automatically. Sometimes you will see the below error show up, means that you have to browse and open the output file manually.

  1. Now on the decrypt traffic capture, you can filter by either HTTP or SIP to see the information as required.
Top View