When must keys be captured?

Keys used to decrypt TLS traffic are created during the TLS handshake and are then used for the rest of that session. The session keys (including the secret material derived in the handshake) are what unlock each record in the captured data. Because these keys are produced as part of establishing the session, you need to obtain or export them while the handshake is happening so they can be applied to the subsequent traffic. If you try to provide them before the handshake, they don’t exist yet; if you try to decrypt data from a session after the handshake without having captured the keys, the data remains unreadable. In practice, you enable a key export or TLS key log during the handshake, and then load those keys into Wireshark so it can decrypt the traffic from that session. Therefore, the keys must be captured during the session.