Wireshark-users: Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
Date: Sat, 21 Nov 2015 12:31:31 +0100
Hi! I've received no replied so far, and I believe this is something good to do, so I'm trying again ;-) . On 151119-13:29+0100, miro.rovis@xxxxxxxxxxxxxxxxx wrote: > Hi! > > I've been trying to get the streams, tcp or ssl, out with tshark, > without success, for long. > > The closest that I got to why it seems to not work is after I tried it > with better scripts than I was able to write, so far: > > Using Tshark To View Raw Socket Streams > http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/ > where you can still find the script that I based mine on. And I enclose my script, too verbose for experts, but helpfully verbose for people still getting their mind around traffic capture like me ;-) ... Look up the attached file: tshark-streams.sh I think I improved it with replacing the "| tr -d '=\r\n\t' " with " | egrep '[[:print:]]'" . It's the same trouble, though. There are no empty lines, because this replacement prints out only the, you guessed it, printable chars out, but: > > In short, what I get in wireshark if I right click > Follow tcp|ssl > stream (where window opens with that content) > Save > > is not the same, and can even be confusingly different from what I get > with, picking up the line that does it in the script above: > > tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i > ... > > and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it > on concrete samples... > > (On concrete samples), what I get with Wireshark, exactly as I explained > in (pls. to cut the chase search for the string > "dump_150927_1848_g0n_s09.dump"): > > SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox > https://forums.gentoo.org/viewtopic-t-1029408.html#7822484 > > is what you can download, follow the procedure in the above Gentoo > Forums topic, in that post, and get the Javascript file plain out, with > the file dump_150927_1848_g0n.dump from: > http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/ > ... So these: > > tshark -r dump_150927_1848_g0n.pcap -T fields -e data \ > -qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin > tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\ > qz follow,tcp,raw,9 | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin > tshark -r dump_150927_1848_g0n.pcap -T fields -e data \ > -qz follow,tcp,raw,9 | tr -d '=\r\n\t' | xxd -r -p \ > > dump_150927_1848_g0n_s09_TRY_tr_xxd.bin > will now, with my script, if you run the script on that downloaded file like this: $ tshark-streams.sh dump_150927_1848_g0n.pcap "tcp.stream eq 9" it will verbosely tell you what it does (and it'll wait for you ti hit Enter at the start, one and another time): $dump.pcap: dump_150927_1848_g0n.pcap $tshlog: tsh-151121_1220.log -rw-r--r-- 1 miro miro 0 2015-11-21 12:20 tsh-151121_1220.log STREAMS=$(tshark -r dump_150927_1848_g0n.pcap -2 -R "tcp.stream eq 9" -T fields -e tcp.stream | sort -n | uniq) $STREAMS: 9 INDEX=00009 Processing stream 00009 ... tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,tcp,raw,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin tshark -r dump_150927_1848_g0n.pcap -qz follow,tcp,ascii,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.txt tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,ssl,raw,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009-ssl.bin tshark -r dump_150927_1848_g0n.pcap -qz follow,ssl,ascii,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009-ssl.txt The new <...>.bin files that it got you, though: > is never close to getting anything out of that stream... > > I uploaded what I got in: > > http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151119/ > (*Note*: you can also download tshark-streams.sh from there) They don't have empty lines now, like those that I uploaded in the link above, but it is not clear to me what they are, and how to get the real content out of them. > How to learn to do these things? Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
Attachment:
tshark-streams.sh
Description: Bourne shell script
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABCgAGBQJWUFB2AAoJEOqYhIhPuvCunGQP/3SLPJYMdZalA+IXmY4vGD3k ywaeXFQrkXpyCFukWMDLEY/C23Vioq5mwZMX/pgZ16LYAXGHDwhEh7MMQ+kfpNzS gpvHqEVkHvCYonscrQ7aWMrKADLOeMnXfQNipsPyucVfJ4/UG4uD9XgTftxzFE/a AohHPgvKv5kmvQrtr4g5SjzzHRApWJ/Po/PSYJTTwhjnvUn3FrhgTTOHz7ayZ1Zd 354jQQesM9NYckQyX0uTnFF4GxKlsYYoGRoCv5KcmekMIoDeEy5NRWmhqP8De8AZ /JBprtEa24Lm3kWVrE1ldR8fu0mC3CT0wzyOhz4GBiTmIZ05/1+221Uk2BTsUJnY AYMKIiQhLeurUXGOV3dANFt7S21RpXsB/UH8qgbzLJ1+w0Bsdz61BFGZLSI6G7gn OgOmfZF2HUdj4FQ6SHgPrWKrKoVBblK3YHATmxJwIrNaqUWECLVZRQhuPLSErSxI ZwYUfu8FLAzg98jlKPRW5Ldqo5yGh/Z7Qlb9wwTkNCG0Nu3UUgf3z1SAbVCZlu8O 5+r54AjEyhOgRXmUaqvqXgWPUer617Xmmd8QD/npCV1ZKi9rFLrIN2OhVxBhzBl/ 7KIO70DvjZNu26eE3k9ZNuiVh39axzGs+vpUgFBh5o8r5NdR/GVhWhNsvR7umKeN MKDF3TBuyj0tXTvLRk/f =oU1O -----END PGP SIGNATURE-----
Attachment:
signature.asc
Description: PGP signature
- Follow-Ups:
- Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
- From: miro . rovis
- Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
- References:
- [Wireshark-users] follow [tcp|ssl].stream with tshark
- From: miro . rovis
- [Wireshark-users] follow [tcp|ssl].stream with tshark
- Prev by Date: Re: [Wireshark-users] Wireshark 2.0.0 vs windows 2003 server ...
- Next by Date: Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
- Previous by thread: [Wireshark-users] follow [tcp|ssl].stream with tshark
- Next by thread: Re: [Wireshark-users] follow [tcp|ssl].stream with tshark
- Index(es):