Wireshark-users: [Wireshark-users] follow [tcp|ssl].stream with tshark
Date: Thu, 19 Nov 2015 13:29:43 +0100
Hi! I've been trying to get the streams, tcp or ssl, out with tshark, without success, for long. The closest that I got to why it seems to not work is after I tried it with better scripts than I was able to write, so far: Using Tshark To View Raw Socket Streams http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/ Here's that precious script, in its entirety, just in case: =========== START PASTE ============= #!/bin/bash if [ "$#" -lt 1 ]; then echo "Usage: tshark_strams.sh <pcap file> [filter rules]" exit fi if [ ! -z "$2" ]; then STREAMS=$(tshark -r "$1" -R "$2" -T fields -e tcp.stream | sort -n | uniq) else STREAMS=$(tshark -r "$1" -T fields -e tcp.stream | sort -n | uniq) fi for i in $STREAMS do INDEX=`printf '%.5d' $i` echo "Processing stream $INDEX ..." tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i | tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin tshark -r "$1" -qz follow,tcp,ascii,$i > "$1"_stream-$INDEX.txt done =========== END PASTE ============= In short, what I get in wireshark if I right click > Follow tcp|ssl stream (where window opens with that content) > Save is not the same, and can even be confusingly different from what I get with, picking up the line that does it in the script above: tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i Aside that with the Wireshark-2.0.0_rc3 wasn't working right, as per the title: net-analyzer/wireshark-2.0.0_rc3 saves different tcp streams (non-decryptable/non-gunzip'able) https://bugs.gentoo.org/show_bug.cgi?id=565152 (surely hope wireshark-2.0.0 will work right, but it's not yet in Gentoo mirrors) and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it on concrete samples... (On concrete samples), what I get with Wireshark, exactly as I explained in (pls. to cut the chase search for the string "dump_150927_1848_g0n_s09.dump"): SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox https://forums.gentoo.org/viewtopic-t-1029408.html#7822484 is what you can download, follow the procedure in the above Gentoo Forums topic, in that post, and get the Javascript file plain out, with the file dump_150927_1848_g0n.dump from: http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/ but what I can get with this command: tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i \ | tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin simplified for one instance, and so I tried these tshark commands (I only didn't use the "tail -n +7" part) : tshark -r dump_150927_1848_g0n.pcap -T fields -e data \ -qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\ qz follow,tcp,raw,9 | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin tshark -r dump_150927_1848_g0n.pcap -T fields -e data \ -qz follow,tcp,raw,9 | tr -d '=\r\n\t' | xxd -r -p \ > dump_150927_1848_g0n_s09_TRY_tr_xxd.bin is never close to getting anything out of that stream... I uploaded what I got in: http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151119/ How to learn to do these things? Thanks for your kind consideration! (And pls. see following emails for possible ERRATA :-) ) -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
Attachment:
signature.asc
Description: PGP signature
- Follow-Ups:
- Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
- From: miro . rovis
- Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
- Prev by Date: Re: [Wireshark-users] Display format for response times (was Re: Wireshark 2.0.0 is now available)
- Next by Date: [Wireshark-users] Wireshark 2.0.0 vs windows 2003 server ...
- Previous by thread: [Wireshark-users] read/write failure: (113) Software caused connection abort
- Next by thread: Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
- Index(es):
- Get Wireshark
- Download
- Code of Conduct