Wireshark-users: Re: [Wireshark-users] tshark SSL Decryption

From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 May 2008 13:51:58 -0600
Ok thanks. Do you know if this is something that'll be fixed in
wireshark or a patch will be available anytime soon?

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Wednesday, May 28, 2008 1:50 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark SSL Decryption

On Wed, May 28, 2008 at 01:34:18PM -0600, Al Aghili wrote:
>
> I think you're correct. I've included the actual frames. But it does
> look like this is retransmission. Is this something that we can change
> on the client? Why would a retransmission occur? 

Uhmm... it looks like the frames you included in your mail are not
corresponding to the ones in the ssl-debug output.

> We are using tshark standard out to look at the frames. When you say
> manually remove the frame from the capture file are you suggesting to
> first have tshark create a capture file then remove the redundant
frame
> from the file and then feed the capture file back through tshark for
> decryption?

Yes.

> I could programmically do that I just want to understand
> what steps I need to take and how to run tshark.

You might find 'editcap' te be handy here. You can use it like
this:

editcap <srcfile> <dstfile> <packet#11>,<packet#23>,<packet#34>

to remove packet 11, 23 and 34 from <srcfile> and save all the
other packets to <dstfile>.

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users