Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 123, Issue 1

From: noah davids <ndav1@xxxxxxx>
Date: Thu, 4 Aug 2016 04:39:28 -0700
On 08/03/2016 05:00 AM, wireshark-users-request@xxxxxxxxxxxxx wrote:
Message: 1
Date: Wed, 3 Aug 2016 00:35:18 +0200
From: Thomas Glanzmann <thomas@xxxxxxxxxxxx>
To: wireshark users <wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] Using tshark to extract
	ssl.handshake.random_time	in hex
Message-ID: <20160802223518.GA24434@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Hello,
I would like to use wireshark to extract the 4 bytes that represent
ssl.handshake.random_time in hex. Currently I only managed to extract it
as unix time by doing that:

$ tshark -nr sniff.pcap -Y 'ssl.handshake.type == 1' -T fields -e ssl.handshake.random_time
Aug  2, 2016 17:00:11.000000000 CEST

Any hints how to obtain that?

I'm using tshark 1.12.1 which is packaged with Debian jessie. In
backports also 2.0.4 is available. But I'm also fine to compile
wireshark by myself.

Cheers,
         Thomas


I am using an older version of Wireshark but it should work with new versions as well. The trick is to not interpret the SSL data as SSL data and then extract the time by position. It only works because the Random field is in a fixed position.

$ for x in $(tshark -r test.pcap -R "ssl.handshake.type == 1" -T fields -e frame.number); do echo -e $x "\t" $(tshark -r test -R "frame.number == $x" -d tcp.port==443,echo -T fields -e echo.data | cut -c 34-44); done
78        57:7f:0f:22
111      57:7f:0f:22
146      57:7f:0f:23
225      f7:6c:83:81
364      57:7f:0f:2c
396      57:7f:0f:2c