We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] extraction of files from SSL and TCP streams automatically

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Wed, 9 May 2018 10:15:37 +0200
On Tue, May 08, 2018 at 08:45:55AM +0000, Miroslav Rovis wrote:
> So when did Wireshark/Tshark get the ability to extract objects from streams?

Wireshark has this feature since 2007 as far as I can see. Tshark only
recently gained this feature (in 2.4 as I said).

> So what would be the commands to issue, then, on the trace that I offered, and
> which my stream-cont.pl on streams produced from that trace with my
> tshark-streams.sh, extracted all the files out from, as I show on that
> explanation page of mine at:
> https://www.croatiafidelis.hr/foss/cap/cap-180505-schmoog-referendum/

Without reading the whole thing, this tshark command sets the TLS key
log file, reads the pcap, hides dissection output and saves extracted
HTTP objects to the "files" directory.

    tshark -ossl.keylog_file:dump_180505_0342_gdO_SSLKEYLOGFILE.txt \
        -r dump_180505_0342_gdO.pcap -q --export-object http,files/

The result is 53 files.
Kind regards,
Peter Wu