Wireshark-users: [Wireshark-users] Tshark not displaying all ssl.records

From: Lukas Nießen <Lukas.Niessen@xxxxxxxxxxxxxx>
Date: Tue, 29 Sep 2009 10:33:33 +0200
Hi there,

I would like to use Tshark to analyze SSL/TLS traffic. All I really need is the length of the TLS application data packets, the source and dest ip and a timestamp. If I execute tshark with -V, I get a lot of useless information. Thus I tried to optimize the output and did something like this:

sudo ./tshark -i eth0 -R ssl -T fields -e frame.time -e ip.src -e ip.dst -e ssl.record.length

The thing now is that one TLS-packet may contain several application data packets as I can see if I observe the packets parallelly in wireshark (or in tshark with -V set). But the -e ssl.record.length setting seems only to display one SSL record length per packet, but I need all. Is there something to accomplish this? Of course I could print out everything with -V and do some grep-ping afterwards, but there has to be a more elegant solution ;-)

Another question: Is there any way to display the unix timestamp instead of some verbose date/time output with the -T fields option?

Best regards
Lukas