Wireshark-users: Re: [Wireshark-users] tshark SSL Decryption

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 28 May 2008 21:49:31 +0200
On Wed, May 28, 2008 at 01:34:18PM -0600, Al Aghili wrote:
>
> I think you're correct. I've included the actual frames. But it does
> look like this is retransmission. Is this something that we can change
> on the client? Why would a retransmission occur? 

Uhmm... it looks like the frames you included in your mail are not
corresponding to the ones in the ssl-debug output.

> We are using tshark standard out to look at the frames. When you say
> manually remove the frame from the capture file are you suggesting to
> first have tshark create a capture file then remove the redundant frame
> from the file and then feed the capture file back through tshark for
> decryption?

Yes.

> I could programmically do that I just want to understand
> what steps I need to take and how to run tshark.

You might find 'editcap' te be handy here. You can use it like
this:

editcap <srcfile> <dstfile> <packet#11>,<packet#23>,<packet#34>

to remove packet 11, 23 and 34 from <srcfile> and save all the
other packets to <dstfile>.

Cheers,
    Sake