Wireshark · Wireshark-users: [Wireshark-users] Tshark not displaying all ssl.records

Wireshark-users: [Wireshark-users] Tshark not displaying all ssl.records

From: Lukas Nießen <Lukas.Niessen@xxxxxxxxxxxxxx>

Date: Tue, 29 Sep 2009 10:33:33 +0200

Hi there,

I would like to use Tshark to analyze SSL/TLS traffic. All I really needis the length of the TLS application data packets, the source and destip and a timestamp. If I execute tshark with -V, I get a lot of uselessinformation. Thus I tried to optimize the output and did something likethis:

sudo ./tshark -i eth0 -R ssl -T fields -e frame.time -e ip.src -e ip.dst-e ssl.record.length

The thing now is that one TLS-packet may contain several applicationdata packets as I can see if I observe the packets parallelly inwireshark (or in tshark with -V set). But the -e ssl.record.lengthsetting seems only to display one SSL record length per packet, but Ineed all. Is there something to accomplish this? Of course I could printout everything with -V and do some grep-ping afterwards, but there hasto be a more elegant solution ;-)

Another question: Is there any way to display the unix timestamp insteadof some verbose date/time output with the -T fields option?


Best regards
Lukas

Prev by Date: [Wireshark-users] Wireshark 1.2.2 is not decoding WIMAX mac
Next by Date: Re: [Wireshark-users] PID as column on Wireshark
Previous by thread: Re: [Wireshark-users] Tshark not displaying all ssl.records
Next by thread: [Wireshark-users] Wireshark 1.2.2 is not decoding WIMAX mac
Index(es):
- Date
- Thread