Hi!
I've been trying to get the streams, tcp or ssl, out with tshark,
without success, for long.
The closest that I got to why it seems to not work is after I tried it
with better scripts than I was able to write, so far:
Using Tshark To View Raw Socket Streams
http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/
Here's that precious script, in its entirety, just in case:
=========== START PASTE =============
#!/bin/bash
if [ "$#" -lt 1 ]; then
echo "Usage: tshark_strams.sh <pcap file> [filter rules]"
exit
fi
if [ ! -z "$2" ]; then
STREAMS=$(tshark -r "$1" -R "$2" -T fields -e tcp.stream | sort -n | uniq)
else
STREAMS=$(tshark -r "$1" -T fields -e tcp.stream | sort -n | uniq)
fi
for i in $STREAMS
do
INDEX=`printf '%.5d' $i`
echo "Processing stream $INDEX ..."
tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i | tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin
tshark -r "$1" -qz follow,tcp,ascii,$i > "$1"_stream-$INDEX.txt
done
=========== END PASTE =============
In short, what I get in wireshark if I right click > Follow tcp|ssl
stream (where window opens with that content) > Save
is not the same, and can even be confusingly different from what I get
with, picking up the line that does it in the script above:
tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i
Aside that with the Wireshark-2.0.0_rc3 wasn't working right, as per the
title:
net-analyzer/wireshark-2.0.0_rc3 saves different tcp streams
(non-decryptable/non-gunzip'able)
https://bugs.gentoo.org/show_bug.cgi?id=565152
(surely hope wireshark-2.0.0 will work right, but it's not yet in Gentoo
mirrors)
and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it
on concrete samples...
(On concrete samples), what I get with Wireshark, exactly as I explained
in (pls. to cut the chase search for the string
"dump_150927_1848_g0n_s09.dump"):
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html#7822484
is what you can download, follow the procedure in the above Gentoo
Forums topic, in that post, and get the Javascript file plain out, with
the file dump_150927_1848_g0n.dump from:
http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/
but what I can get with this command:
tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i \
| tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin
simplified for one instance, and so I tried these tshark commands (I
only didn't use the "tail -n +7" part) :
tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
-qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\
qz follow,tcp,raw,9 | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
-qz follow,tcp,raw,9 | tr -d '=\r\n\t' | xxd -r -p \
> dump_150927_1848_g0n_s09_TRY_tr_xxd.bin
is never close to getting anything out of that stream...
I uploaded what I got in:
http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151119/
How to learn to do these things?
Thanks for your kind consideration!
(And pls. see following emails for possible ERRATA :-) )
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Attachment:
signature.asc
Description: PGP signature