Encrypted web traffic exchanged between a client device and a web server during a communication session and captured using a passive capture technique can be received. The encrypted web traffic can be encrypted using a shared secret generated for the communication session in accordance with an anonymous key agreement protocol. A TCP connection table, which includes a session identifier for the communication session, can be created for the communication session. At least one TCP connection can be built for the received encrypted web traffic using the TCP connection table. Using the session identifier, the shared secret can be accessed from a cache in which the shared secret is stored, at least temporarily, by the web server. Data from the encrypted web traffic can be extracted by using the shared secret to decrypt the encrypted web traffic. The extracted data can be stored to a data store.