For normal ethernet, your snaplen (-s
option) should be 1500 if you want the entire packet. That'll give you the entire packet, and allow full protocol decodes when loaded up into WireShark itself. Depending on what you're sniffing, you'll probably want to increase your filesize as well.
To get at least the headers of most packets, a snaplen of 200 is usually sufficient. It'll get the E_II, IP, TCP/UDP, and some of the higher level protocol headers.
There are a few types of connection resets, and each has its own meaning.
Resetting all existing connections immediately
This style of reset shows up in sniffs as a big block of RSTs being sent by the server, probably with very little traffic between the packets. This can be caused by an application above the TCP/IP stack resetting itself, which in turn tells the TCP/IP stack to kill all connection-handles associated with that module.
Resetting all existing connections when they have traffic
This shows up in the sniff with a more sneaky pattern. After a certain point, any time an existing connection receives traffic from a client station a RST packet is issued. What the client does then depends on the higher level protocol, perhaps a reconnection attempt is issued. This is usually caused by the TCP/IP stack itself silently losing connection state. As far as the stack is concerned, that packet from the client is not associated with any open connections so it just issues a RST packet and ignores it.
Resetting new connection attempts
Existing connections continue to work, but SYN packets are replied to with an RST. In normal operation this is done because there is no open port for the port listed on the SYN packet. This is typically caused by a fault in the higher level application.
As for your retransmits, those are caused by clients not receiving packets they expect to get. This can be caused by outright packet loss, or it could be that the server just isn't sending those packets at all. If your sniff on the server shows the retransmit packets, and listing the conversation shows no packets being sent by the server, it's a sign that something has gone wrong on the server itself. This can be related to faults in the higher level application, the TCP/IP stack, or the NIC driver itself. I've seen NIC driver updates fix this, but in a VM that's less likely to be the source of the problem.
Mass resets like that could be caused by resource exhaustion on the part of the server.
Best Answer
The answer to your question is
Now let us see why this is so. Let's look at the entire ciphersuite specification TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 in detail:
The key exchange algorithm is specifying how keys for the bulk encryption/decryption cipher are exchanged. And there is something special about the Diffie-Hellman key exchange used in ECDHE_RSA:
stolen from an answer on security.SE
In other words, with (EC)DHE, the AES key used for encryption and decryption cannot be retrieved from the TLS ciphertext conversation, not even if you have the server's private key.
This is different when solely relying on RSA for key exchange: in this operation mode, the bulk cipher key to be used is generated by the client, RSA-encrypted with the server's public key and sent to the server. If an eavesdropping third party has the server's private key, it simply can decrypt the RSA ciphertext of the key exchange, get at the bulk cipher key and decrypt eveything else. This is exactly what Wireshark is doing when decoding a TLS stream for you.
So, what works for RSA-based key exchanges, won't do for DHE-based ones.