Wireshark-users: Re: [Wireshark-users] Tshark not displaying all ssl.records
From: Lukas Nießen <Lukas.Niessen@xxxxxxxxxxxxxx>
Date: Thu, 01 Oct 2009 10:45:10 +0200
Hi,ok thanks for the information. I solved it now by grepping for the relevant information and some scripts to convert the date to a unix timestamp.
Thx and regards Lukas Am 29.09.2009 16:35 schrieb Sake Blok:
Hi Lukas,There is a feature request for printing all ocuurances of a field when there are multiple occurances of the same field. However, no one has taken the time to implement this yet.Also, there is no way currently to use -T fields and get a different time format for frame.time. However, you could use frame.time_relative to get the seconds since the first frame, which might be more usefull to you.Cheers, Sake----- Original Message ----- From: "Lukas Nie�en" <Lukas.Niessen@xxxxxxxxxxxxxx>To: <wireshark-users@xxxxxxxxxxxxx> Sent: Monday, September 28, 2009 8:48 PM Subject: [Wireshark-users] Tshark not displaying all ssl.recordsHi there, I would like to use Tshark to analyze SSL/TLS traffic. All I really need is the length of the TLS application data packets, the source and dest ip and a timestamp. If I execute tshark with -V, I get a lot of useless information. Thus I tried to optimize the output and did something like this: sudo ./tshark -i eth0 -R ssl -T fields -e frame.time -e ip.src -e ip.dst -e ssl.record.length The thing now is that one TLS-packet may contain several application data packets as I can see if I observe the packets parallelly in wireshark (or in tshark with -V set). But the -e ssl.record.length setting seems only to display one SSL record length per packet, but I need all. Is there something to accomplish this? Of course I could print out everything with -V and do some grep-ping afterwards, but there has to be a more elegant solution ;-) Another question: Is there any way to display the unix timestamp instead of some verbose date/time output with the -T fields option? Best regards Lukas ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- Prev by Date: Re: [Wireshark-users] Trouble with SSL dissector - got ithalf working!
- Next by Date: [Wireshark-users] Announcing pcapr Trends
- Previous by thread: Re: [Wireshark-users] Trouble with SSL dissector - got ithalf working!
- Next by thread: [Wireshark-users] Announcing pcapr Trends
- Index(es):