Abstract: Encrypted web traffic exchanged between a client device and a web server during a communication session and captured using a passive capture technique can be received. The encrypted web traffic can be encrypted using a shared secret generated for the communication session in accordance with an anonymous key agreement protocol. A TCP connection table, which includes a session identifier for the communication session, can be created for the communication session. At least one TCP connection can be built for the received encrypted web traffic using the TCP connection table. Using the session identifier, the shared secret can be accessed from a cache in which the shared secret is stored, at least temporarily, by the web server. Data from the encrypted web traffic can be extracted by using the shared secret to decrypt the encrypted web traffic. The extracted data can be stored to a data store.

Abstract: A method, program product, and system for re-assembling fragmented HTTP2 fragments is provided. In response to receiving a SSL/TLS segment, a TCP sequence number hash table is queried for the TCP sequence number included in the SSL/TLS segment header. In response to locating a matching TCP sequence number, extracting from the TCP sequence number hash table an associated stream identifier, and resuming fragmented re-assembly using the associated stream identifier, by extracting the matching HTTP2 stream identifier from a HTTP2 hash table, a HTTP2 buffer and the remaining message length. A new HTTP2 hash table entry is created when a matching entry is not found, indicating start of a new message. For each segment, data from the SSL/TLS segment is appended to the HTTP2 buffer until the complete HTTP2 message is re-assembled. The re-assembled HTTP2 response/request is sent to its destination, and the corresponding entries are deleted from the hash tables.

Abstract: A method, program product, and system for re-assembling fragmented HTTP2 fragments is provided. In response to receiving a SSL/TLS segment, a TCP sequence number hash table is queried for the TCP sequence number included in the SSL/TLS segment header. In response to locating a matching TCP sequence number, extracting from the TCP sequence number hash table an associated stream identifier, and resuming fragmented re-assembly using the associated stream identifier, by extracting the matching HTTP2 stream identifier from a HTTP2 hash table, a HTTP2 buffer and the remaining message length. A new HTTP2 hash table entry is created when a matching entry is not found, indicating start of a new message. For each segment, data from the SSL/TLS segment is appended to the HTTP2 buffer until the complete HTTP2 message is re-assembled. The re-assembled HTTP2 response/request is sent to its destination, and the corresponding entries are deleted from the hash tables.

Abstract: Encrypted web traffic exchanged between a client device and a web server during a communication session and captured using a passive capture technique can be received. The encrypted web traffic can be encrypted using a shared secret generated for the communication session in accordance with an anonymous key agreement protocol. A TCP connection table, which includes a session identifier for the communication session, can be created for the communication session. At least one TCP connection can be built for the received encrypted web traffic using the TCP connection table. Using the session identifier, the shared secret can be accessed from a cache in which the shared secret is stored, at least temporarily, by the web server. Data from the encrypted web traffic can be extracted by using the shared secret to decrypt the encrypted web traffic. The extracted data can be stored to a data store.