Hi All,
I am new to wireshark,
I need to decrypt SSL traffic to get content length.
./tshark -o "ssl.keys_list:,443,http,
client.ky" -T fields -E separator=":" -e frame.time_relative -e frame.number -e tcp.len -e http.content_length -e tcp.flags.fin -e tcp.flags.push -R "ip.src == source_ip && ip.dst == destination_ip && tcp.srcport == 443 && ! (tcp.analysis.out_of_order) && ! (tcp.analysis.retransmission) " -r sample.pcap
here the result is,
2.765700000:35:0::0:0
2.765990000:37:0::0:0
2.925676000:39:0::0:0
2.925967000:41:0::0:0
5.766952000:66:835::0:1
5.767578000:70:0::0:0
5.767648000:71:0::0:0
5.927948000:72:835::0:1
5.928435000:76:0::0:0
5.928609000:77:0::0:0
5.970891000:78:43::0:1
6.131897000:80:43::0:1
6.132293000:83:0::0:0
6.133199000:84:1460::0:0
6.134092000:85:1460::0:0
6.236042000:90:1280::1:1
the field for content length is empty.
please help me out and suggest me if i am missing anything or doing wrong.
thanks.
--
Regards,
Sahaj