Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] follow [tcp|ssl].stream with tshark

Date: Thu, 19 Nov 2015 13:29:43 +0100
Hi!

I've been trying to get the streams, tcp or ssl, out with tshark,
without success, for long.

The closest that I got to why it seems to not work is after I tried it
with better scripts than I was able to write, so far:

Using Tshark To View Raw Socket Streams
http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/

Here's that precious script, in its entirety, just in case:

=========== START PASTE =============

#!/bin/bash

if [ "$#" -lt 1 ]; then
        echo "Usage: tshark_strams.sh <pcap file> [filter rules]"
        exit
fi

if [ ! -z "$2" ]; then
        STREAMS=$(tshark -r "$1" -R "$2" -T fields -e tcp.stream | sort -n | uniq)
else
        STREAMS=$(tshark -r "$1" -T fields -e tcp.stream | sort -n | uniq)
fi


for i in $STREAMS
do 
        INDEX=`printf '%.5d' $i`

        echo "Processing stream $INDEX ..."

        tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i | tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin
        tshark -r "$1" -qz follow,tcp,ascii,$i > "$1"_stream-$INDEX.txt
done

=========== END PASTE =============

In short, what I get in wireshark if I right click > Follow tcp|ssl
stream (where window opens with that content) > Save 

is not the same, and can even be confusingly different from what I get
with, picking up the line that does it in the script above:

tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i

Aside that with the Wireshark-2.0.0_rc3 wasn't working right, as per the
title:
net-analyzer/wireshark-2.0.0_rc3 saves different tcp streams
(non-decryptable/non-gunzip'able)
https://bugs.gentoo.org/show_bug.cgi?id=565152
(surely hope wireshark-2.0.0 will work right, but it's not yet in Gentoo
mirrors)

and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it
on concrete samples...

(On concrete samples), what I get with Wireshark, exactly as I explained
in (pls. to cut the chase search for the string
"dump_150927_1848_g0n_s09.dump"):

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html#7822484

is what you can download, follow the procedure in the above Gentoo
Forums topic, in that post, and get the Javascript file plain out, with
the file dump_150927_1848_g0n.dump from:
http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/

but what I can get with this command:

tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i \
	| tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin

simplified for one instance, and so I tried these tshark commands (I
only didn't use the "tail -n +7" part) :

tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
	-qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\
	qz follow,tcp,raw,9  | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
	-qz follow,tcp,raw,9  | tr -d '=\r\n\t'  | xxd -r -p \
	> dump_150927_1848_g0n_s09_TRY_tr_xxd.bin

is never close to getting anything out of that stream...

I uploaded what I got in:

http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151119/

How to learn to do these things?

Thanks for your kind consideration!
(And pls. see following emails for possible ERRATA :-) )
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: PGP signature