Wireshark mailing list archives
Re: follow [tcp|ssl].stream with tshark
From: miro.rovis () croatiafidelis hr
Date: Sat, 21 Nov 2015 12:31:31 +0100
Hi! I've received no replied so far, and I believe this is something good to do, so I'm trying again ;-) . On 151119-13:29+0100, miro.rovis () croatiafidelis hr wrote:
Hi! I've been trying to get the streams, tcp or ssl, out with tshark, without success, for long. The closest that I got to why it seems to not work is after I tried it with better scripts than I was able to write, so far: Using Tshark To View Raw Socket Streams http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/
where you can still find the script that I based mine on. And I enclose my script, too verbose for experts, but helpfully verbose for people still getting their mind around traffic capture like me ;-) ... Look up the attached file: tshark-streams.sh I think I improved it with replacing the "| tr -d '=\r\n\t' " with " | egrep '[[:print:]]'" . It's the same trouble, though. There are no empty lines, because this replacement prints out only the, you guessed it, printable chars out, but:
In short, what I get in wireshark if I right click > Follow tcp|ssl stream (where window opens with that content) > Save is not the same, and can even be confusingly different from what I get with, picking up the line that does it in the script above: tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i
...
and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it on concrete samples... (On concrete samples), what I get with Wireshark, exactly as I explained in (pls. to cut the chase search for the string "dump_150927_1848_g0n_s09.dump"): SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox https://forums.gentoo.org/viewtopic-t-1029408.html#7822484 is what you can download, follow the procedure in the above Gentoo Forums topic, in that post, and get the Javascript file plain out, with the file dump_150927_1848_g0n.dump from: http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/
... So these:
tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
-qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\
qz follow,tcp,raw,9 | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
-qz follow,tcp,raw,9 | tr -d '=\r\n\t' | xxd -r -p \
> dump_150927_1848_g0n_s09_TRY_tr_xxd.bin
will now, with my script, if you run the script on that downloaded file like this: $ tshark-streams.sh dump_150927_1848_g0n.pcap "tcp.stream eq 9" it will verbosely tell you what it does (and it'll wait for you ti hit Enter at the start, one and another time): $dump.pcap: dump_150927_1848_g0n.pcap $tshlog: tsh-151121_1220.log -rw-r--r-- 1 miro miro 0 2015-11-21 12:20 tsh-151121_1220.log STREAMS=$(tshark -r dump_150927_1848_g0n.pcap -2 -R "tcp.stream eq 9" -T fields -e tcp.stream | sort -n | uniq) $STREAMS: 9 INDEX=00009 Processing stream 00009 ... tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,tcp,raw,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin tshark -r dump_150927_1848_g0n.pcap -qz follow,tcp,ascii,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.txt tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,ssl,raw,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009-ssl.bin tshark -r dump_150927_1848_g0n.pcap -qz follow,ssl,ascii,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009-ssl.txt The new <...>.bin files that it got you, though:
is never close to getting anything out of that stream...
I uploaded what I got in: http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151119/
(*Note*: you can also download tshark-streams.sh from there) They don't have empty lines now, like those that I uploaded in the link above, but it is not clear to me what they are, and how to get the real content out of them.
How to learn to do these things?
Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
Attachment:
tshark-streams.sh
Description:
Attachment:
tshark-streams.sh.sig
Description:
Attachment:
signature.asc
Description:
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- follow [tcp|ssl].stream with tshark miro . rovis (Nov 19)
- Re: follow [tcp|ssl].stream with tshark miro . rovis (Nov 21)
- Re: follow [tcp|ssl].stream with tshark miro . rovis (Nov 21)
- Re: follow [tcp|ssl].stream with tshark miro . rovis (Nov 21)
- Re: follow [tcp|ssl].stream with tshark miro . rovis (Nov 22)
- Re: follow [tcp|ssl].stream with tshark miro . rovis (Nov 21)
- Re: follow [tcp|ssl].stream with tshark miro . rovis (Nov 21)