ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Tshark not displaying all ssl.records

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Lukas Nießen <Lukas.Niessen@xxxxxxxxxxxxxx>
Date: Thu, 01 Oct 2009 10:45:10 +0200
Hi,
ok thanks for the information. I solved it now by grepping for the relevant information and some scripts to convert the date to a unix timestamp. 

Thx and regards
Lukas

Am 29.09.2009 16:35 schrieb Sake Blok:

Hi Lukas,
There is a feature request for printing all ocuurances of a field when there are multiple occurances of the same field. However, no one has taken the time to implement this yet.
Also, there is no way currently to use -T fields and get a different time format for frame.time. However, you could use frame.time_relative to get the seconds since the first frame, which might be more usefull to you. 

Cheers,


Sake
----- Original Message ----- From: "Lukas Nie�en" <Lukas.Niessen@xxxxxxxxxxxxxx> 
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Monday, September 28, 2009 8:48 PM
Subject: [Wireshark-users] Tshark not displaying all ssl.records



Hi there,

I would like to use Tshark to analyze SSL/TLS traffic. All I really need
is the length of the TLS application data packets, the source and dest
ip and a timestamp. If I execute tshark with -V, I get a lot of useless
information. Thus I tried to optimize the output and did something like
this:

sudo ./tshark -i eth0 -R ssl -T fields -e frame.time -e ip.src -e ip.dst
-e ssl.record.length

The thing now is that one TLS-packet may contain several application
data packets as I can see if I observe the packets parallelly in
wireshark (or in tshark with -V set). But the -e ssl.record.length
setting seems only to display one SSL record length per packet, but I
need all. Is there something to accomplish this? Of course I could print
out everything with -V and do some grep-ping afterwards, but there has
to be a more elegant solution ;-)

Another question: Is there any way to display the unix timestamp instead
of some verbose date/time output with the -T fields option?

Best regards
Lukas
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube