Wireshark mailing list archives
Re: Wireshark-users Digest, Vol 123, Issue 1
From: noah davids <ndav1 () cox net>
Date: Thu, 4 Aug 2016 04:39:28 -0700
On 08/03/2016 05:00 AM, wireshark-users-request () wireshark org wrote:
Message: 1 Date: Wed, 3 Aug 2016 00:35:18 +0200 From: Thomas Glanzmann <thomas () glanzmann de> To: wireshark users <wireshark-users () wireshark org> Subject: [Wireshark-users] Using tshark to extract ssl.handshake.random_time in hex Message-ID: <20160802223518.GA24434 () glanzmann de> Content-Type: text/plain; charset=us-ascii Hello, I would like to use wireshark to extract the 4 bytes that represent ssl.handshake.random_time in hex. Currently I only managed to extract it as unix time by doing that: $ tshark -nr sniff.pcap -Y 'ssl.handshake.type == 1' -T fields -e ssl.handshake.random_time Aug 2, 2016 17:00:11.000000000 CEST Any hints how to obtain that? I'm using tshark 1.12.1 which is packaged with Debian jessie. In backports also 2.0.4 is available. But I'm also fine to compile wireshark by myself. Cheers, Thomas
I am using an older version of Wireshark but it should work with new versions as well. The trick is to not interpret the SSL data as SSL data and then extract the time by position. It only works because the Random field is in a fixed position.
$ for x in $(tshark -r test.pcap -R "ssl.handshake.type == 1" -T fields -e frame.number); do echo -e $x "\t" $(tshark -r test -R "frame.number == $x" -d tcp.port==443,echo -T fields -e echo.data | cut -c 34-44); done
78 57:7f:0f:22 111 57:7f:0f:22 146 57:7f:0f:23 225 f7:6c:83:81 364 57:7f:0f:2c 396 57:7f:0f:2c ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Wireshark-users Digest, Vol 123, Issue 1 noah davids (Aug 04)
- Re: Wireshark-users Digest, Vol 123, Issue 1 Thomas Glanzmann (Aug 04)