Wireshark-users: Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
Date: Sat, 21 Nov 2015 12:31:31 +0100

I've received no replied so far, and I believe this is something good to
do, so I'm trying again ;-) .

On 151119-13:29+0100, [email protected] wrote:
> Hi!
> I've been trying to get the streams, tcp or ssl, out with tshark,
> without success, for long.
> The closest that I got to why it seems to not work is after I tried it
> with better scripts than I was able to write, so far:
> Using Tshark To View Raw Socket Streams
> http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/
where you can still find the script that I based mine on.

And I enclose my script, too verbose for experts, but helpfully verbose
for people still getting their mind around traffic capture like me ;-)
... Look up the attached file:


I think I improved it with replacing the "| tr -d '=\r\n\t' " with
" | egrep '[[:print:]]'" .

It's the same trouble, though. There are no empty lines, because this
replacement prints out only the, you guessed it, printable chars out,
> In short, what I get in wireshark if I right click > Follow tcp|ssl
> stream (where window opens with that content) > Save 
> is not the same, and can even be confusingly different from what I get
> with, picking up the line that does it in the script above:
> tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i

> and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it
> on concrete samples...
> (On concrete samples), what I get with Wireshark, exactly as I explained
> in (pls. to cut the chase search for the string
> "dump_150927_1848_g0n_s09.dump"):
> SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
> https://forums.gentoo.org/viewtopic-t-1029408.html#7822484
> is what you can download, follow the procedure in the above Gentoo
> Forums topic, in that post, and get the Javascript file plain out, with
> the file dump_150927_1848_g0n.dump from:
> http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/

So these:
> tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
> 	-qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin
> tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\
> 	qz follow,tcp,raw,9  | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin
> tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
> 	-qz follow,tcp,raw,9  | tr -d '=\r\n\t'  | xxd -r -p \
> 	> dump_150927_1848_g0n_s09_TRY_tr_xxd.bin
will now, with my script, if you run the script on that downloaded file
like this:

$ tshark-streams.sh  dump_150927_1848_g0n.pcap "tcp.stream eq 9"

it will verbosely tell you what it does (and it'll wait for you ti hit
Enter at the start, one and another time):

$dump.pcap: dump_150927_1848_g0n.pcap

$tshlog: tsh-151121_1220.log
-rw-r--r-- 1 miro miro 0 2015-11-21 12:20 tsh-151121_1220.log

STREAMS=$(tshark -r dump_150927_1848_g0n.pcap -2 -R "tcp.stream eq 9" -T
fields -e tcp.stream | sort -n | uniq)
Processing stream 00009 ...
tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz
follow,tcp,raw,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin
tshark -r dump_150927_1848_g0n.pcap -qz follow,tcp,ascii,9 | egrep
'[[:print:]]' > dump_150927_1848_g0n_s00009.txt

tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz
follow,ssl,raw,9 | egrep '[[:print:]]' >
tshark -r dump_150927_1848_g0n.pcap -qz follow,ssl,ascii,9 | egrep
'[[:print:]]' > dump_150927_1848_g0n_s00009-ssl.txt

The new <...>.bin files that it got you, though:

> is never close to getting anything out of that stream...

> I uploaded what I got in:
> http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151119/
(*Note*: you can also download tshark-streams.sh from there)

They don't have empty lines now, like those that I uploaded in the link
above, but it is not clear to me what they are, and how to get the real
content out of them.

> How to learn to do these things?


Miroslav Rovis
Zagreb, Croatia

Attachment: tshark-streams.sh
Description: Bourne shell script

Version: GnuPG v1


Attachment: signature.asc
Description: PGP signature