If you are missing one you can skip it by using the empty string "". Tshark -Y smb2 '-ouat:smb2_seskey_list:,' -r trace.pcap The CLI syntax to provide keys has changed to allow providing any combinations of SessionKey, ServerToClientKey, ClientToServerKey: If you are unsure of which key is the server and which key is the client it doesn't matter Wireshark will try both.īy passing directly the decryption keys instead of the session key wireshark doesn't require the session establishment packets (NegProt & Session Setup) to be in the capture. As a result the syntax to provide them changed. Starting from Wireshark 3.3.0 (released Sept 2020) you can pass a list of SessionId => ServerKey,ClientKey via the table in the SMB2 preferences or command-line. Using the server and client decryption keys (SMB3+) If decryption doesn't work on those some of the requirement mentioned above are not met. You can test with the sample traces on the Wireshark wiki.