Wireshark-users: Re: [Wireshark-users] follow [tcp|ssl].stream with tshark

Date: Sat, 21 Nov 2015 12:31:31 +0100
Hi!

I've received no replied so far, and I believe this is something good to
do, so I'm trying again ;-) .

On 151119-13:29+0100, miro.rovis@xxxxxxxxxxxxxxxxx wrote:
> Hi!
> 
> I've been trying to get the streams, tcp or ssl, out with tshark,
> without success, for long.
> 
> The closest that I got to why it seems to not work is after I tried it
> with better scripts than I was able to write, so far:
> 
> Using Tshark To View Raw Socket Streams
> http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/
> 
where you can still find the script that I based mine on.

And I enclose my script, too verbose for experts, but helpfully verbose
for people still getting their mind around traffic capture like me ;-)
... Look up the attached file:

tshark-streams.sh

I think I improved it with replacing the "| tr -d '=\r\n\t' " with
" | egrep '[[:print:]]'" .

It's the same trouble, though. There are no empty lines, because this
replacement prints out only the, you guessed it, printable chars out,
but:
> 
> In short, what I get in wireshark if I right click > Follow tcp|ssl
> stream (where window opens with that content) > Save 
> 
> is not the same, and can even be confusingly different from what I get
> with, picking up the line that does it in the script above:
> 
> tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i
> 
...

> 
> and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it
> on concrete samples...
> 
> (On concrete samples), what I get with Wireshark, exactly as I explained
> in (pls. to cut the chase search for the string
> "dump_150927_1848_g0n_s09.dump"):
> 
> SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
> https://forums.gentoo.org/viewtopic-t-1029408.html#7822484
> 
> is what you can download, follow the procedure in the above Gentoo
> Forums topic, in that post, and get the Javascript file plain out, with
> the file dump_150927_1848_g0n.dump from:
> http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/
> 
...

So these:
> 
> tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
> 	-qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin
> tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\
> 	qz follow,tcp,raw,9  | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin
> tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
> 	-qz follow,tcp,raw,9  | tr -d '=\r\n\t'  | xxd -r -p \
> 	> dump_150927_1848_g0n_s09_TRY_tr_xxd.bin
>
will now, with my script, if you run the script on that downloaded file
like this:

$ tshark-streams.sh  dump_150927_1848_g0n.pcap "tcp.stream eq 9"

it will verbosely tell you what it does (and it'll wait for you ti hit
Enter at the start, one and another time):

$dump.pcap: dump_150927_1848_g0n.pcap

$tshlog: tsh-151121_1220.log
-rw-r--r-- 1 miro miro 0 2015-11-21 12:20 tsh-151121_1220.log

STREAMS=$(tshark -r dump_150927_1848_g0n.pcap -2 -R "tcp.stream eq 9" -T
fields -e tcp.stream | sort -n | uniq)
$STREAMS: 9
INDEX=00009
Processing stream 00009 ...
tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz
follow,tcp,raw,9 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin
tshark -r dump_150927_1848_g0n.pcap -qz follow,tcp,ascii,9 | egrep
'[[:print:]]' > dump_150927_1848_g0n_s00009.txt

tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz
follow,ssl,raw,9 | egrep '[[:print:]]' >
dump_150927_1848_g0n_s00009-ssl.bin
tshark -r dump_150927_1848_g0n.pcap -qz follow,ssl,ascii,9 | egrep
'[[:print:]]' > dump_150927_1848_g0n_s00009-ssl.txt

The new <...>.bin files that it got you, though:

> is never close to getting anything out of that stream...
>

> I uploaded what I got in:
> 
> http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151119/
>
(*Note*: you can also download tshark-streams.sh from there)

They don't have empty lines now, like those that I uploaded in the link
above, but it is not clear to me what they are, and how to get the real
content out of them.

> How to learn to do these things?

Regards!

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: tshark-streams.sh
Description: Bourne shell script

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJWUFB2AAoJEOqYhIhPuvCunGQP/3SLPJYMdZalA+IXmY4vGD3k
ywaeXFQrkXpyCFukWMDLEY/C23Vioq5mwZMX/pgZ16LYAXGHDwhEh7MMQ+kfpNzS
gpvHqEVkHvCYonscrQ7aWMrKADLOeMnXfQNipsPyucVfJ4/UG4uD9XgTftxzFE/a
AohHPgvKv5kmvQrtr4g5SjzzHRApWJ/Po/PSYJTTwhjnvUn3FrhgTTOHz7ayZ1Zd
354jQQesM9NYckQyX0uTnFF4GxKlsYYoGRoCv5KcmekMIoDeEy5NRWmhqP8De8AZ
/JBprtEa24Lm3kWVrE1ldR8fu0mC3CT0wzyOhz4GBiTmIZ05/1+221Uk2BTsUJnY
AYMKIiQhLeurUXGOV3dANFt7S21RpXsB/UH8qgbzLJ1+w0Bsdz61BFGZLSI6G7gn
OgOmfZF2HUdj4FQ6SHgPrWKrKoVBblK3YHATmxJwIrNaqUWECLVZRQhuPLSErSxI
ZwYUfu8FLAzg98jlKPRW5Ldqo5yGh/Z7Qlb9wwTkNCG0Nu3UUgf3z1SAbVCZlu8O
5+r54AjEyhOgRXmUaqvqXgWPUer617Xmmd8QD/npCV1ZKi9rFLrIN2OhVxBhzBl/
7KIO70DvjZNu26eE3k9ZNuiVh39axzGs+vpUgFBh5o8r5NdR/GVhWhNsvR7umKeN
MKDF3TBuyj0tXTvLRk/f
=oU1O
-----END PGP SIGNATURE-----

Attachment: signature.asc
Description: PGP signature