Wireshark-users: Re: [Wireshark-users] Tshark not displaying all ssl.records

From: Lukas Nießen <Lukas.Niessen@xxxxxxxxxxxxxx>
Date: Thu, 01 Oct 2009 10:45:10 +0200
Hi,

ok thanks for the information. I solved it now by grepping for the relevant information and some scripts to convert the date to a unix timestamp.

Thx and regards
Lukas

Am 29.09.2009 16:35 schrieb Sake Blok:
Hi Lukas,

There is a feature request for printing all ocuurances of a field when there are multiple occurances of the same field. However, no one has taken the time to implement this yet.

Also, there is no way currently to use -T fields and get a different time format for frame.time. However, you could use frame.time_relative to get the seconds since the first frame, which might be more usefull to you.

Cheers,


Sake

----- Original Message ----- From: "Lukas Nie�en" <Lukas.Niessen@xxxxxxxxxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Monday, September 28, 2009 8:48 PM
Subject: [Wireshark-users] Tshark not displaying all ssl.records


Hi there,

I would like to use Tshark to analyze SSL/TLS traffic. All I really need
is the length of the TLS application data packets, the source and dest
ip and a timestamp. If I execute tshark with -V, I get a lot of useless
information. Thus I tried to optimize the output and did something like
this:

sudo ./tshark -i eth0 -R ssl -T fields -e frame.time -e ip.src -e ip.dst
-e ssl.record.length

The thing now is that one TLS-packet may contain several application
data packets as I can see if I observe the packets parallelly in
wireshark (or in tshark with -V set). But the -e ssl.record.length
setting seems only to display one SSL record length per packet, but I
need all. Is there something to accomplish this? Of course I could print
out everything with -V and do some grep-ping afterwards, but there has
to be a more elegant solution ;-)

Another question: Is there any way to display the unix timestamp instead
of some verbose date/time output with the -T fields option?

Best regards
Lukas
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe