Wireshark · Wireshark-users: Re: [Wireshark-users] Tshark not displaying all ssl.records

Wireshark-users: Re: [Wireshark-users] Tshark not displaying all ssl.records

From: Lukas Nießen <Lukas.Niessen@xxxxxxxxxxxxxx>

Date: Thu, 01 Oct 2009 10:45:10 +0200

Hi,

ok thanks for the information. I solved it now by grepping for therelevant information and some scripts to convert the date to a unixtimestamp.


Thx and regards
Lukas

Am 29.09.2009 16:35 schrieb Sake Blok:

Hi Lukas,

There is a feature request for printing all ocuurances of a field when thereare multiple occurances of the same field. However, no one has taken thetime to implement this yet.

Also, there is no way currently to use -T fields and get a different timeformat for frame.time. However, you could use frame.time_relative to get theseconds since the first frame, which might be more usefull to you.


Cheers,


Sake

----- Original Message -----From: "Lukas Nießen" <Lukas.Niessen@xxxxxxxxxxxxxx>

To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Monday, September 28, 2009 8:48 PM
Subject: [Wireshark-users] Tshark not displaying all ssl.records

Hi there,

I would like to use Tshark to analyze SSL/TLS traffic. All I really need
is the length of the TLS application data packets, the source and dest
ip and a timestamp. If I execute tshark with -V, I get a lot of useless
information. Thus I tried to optimize the output and did something like
this:

sudo ./tshark -i eth0 -R ssl -T fields -e frame.time -e ip.src -e ip.dst
-e ssl.record.length

The thing now is that one TLS-packet may contain several application
data packets as I can see if I observe the packets parallelly in
wireshark (or in tshark with -V set). But the -e ssl.record.length
setting seems only to display one SSL record length per packet, but I
need all. Is there something to accomplish this? Of course I could print
out everything with -V and do some grep-ping afterwards, but there has
to be a more elegant solution ;-)

Another question: Is there any way to display the unix timestamp instead
of some verbose date/time output with the -T fields option?

Best regards
Lukas
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Prev by Date: Re: [Wireshark-users] Trouble with SSL dissector - got ithalf working!
Next by Date: [Wireshark-users] Announcing pcapr Trends
Previous by thread: Re: [Wireshark-users] Trouble with SSL dissector - got ithalf working!
Next by thread: [Wireshark-users] Announcing pcapr Trends
Index(es):
- Date
- Thread