Reading the digest, I would say look at the endpoint IP addresses to see if it going to a bank or someone like that.
My employer does have policies in place that says that end to end SSL is not maintained and proxy agents are used to interrupt them.
I think it would be good to block the individual TCP conversations from the executives computer to specific endpoints when known, and to see if the use being done is in line with the acceptable use policy for the network of the executive's organisations.
I agree that company's are allowed to inspect the contents of data going out from their employees, especially if they have acceptable use policies in place, e.g. Using firewalls.
But if that capability was put into Wireshark then I think it would be a criminal's dream tool.
Cheers,
Tony
Sent from my BlackBerry® wireless device