ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online

Wireshark-users: Re: [Wireshark-users] extraction of files from SSL and TCP streams automatically

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Wed, 9 May 2018 10:15:37 +0200
On Tue, May 08, 2018 at 08:45:55AM +0000, Miroslav Rovis wrote:
> So when did Wireshark/Tshark get the ability to extract objects from streams?

Wireshark has this feature since 2007 as far as I can see. Tshark only
recently gained this feature (in 2.4 as I said).

> So what would be the commands to issue, then, on the trace that I offered, and
> which my on streams produced from that trace with my
>, extracted all the files out from, as I show on that
> explanation page of mine at:

Without reading the whole thing, this tshark command sets the TLS key
log file, reads the pcap, hides dissection output and saves extracted
HTTP objects to the "files" directory.

    tshark -ossl.keylog_file:dump_180505_0342_gdO_SSLKEYLOGFILE.txt \
        -r dump_180505_0342_gdO.pcap -q --export-object http,files/

The result is 53 files.
Kind regards,
Peter Wu