On 08/03/2016 05:00 AM, wireshark-users-request@xxxxxxxxxxxxx wrote:
Message: 1
Date: Wed, 3 Aug 2016 00:35:18 +0200
From: Thomas Glanzmann <thomas@xxxxxxxxxxxx>
To: wireshark users <wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] Using tshark to extract
ssl.handshake.random_time in hex
Message-ID: <20160802223518.GA24434@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
Hello,
I would like to use wireshark to extract the 4 bytes that represent
ssl.handshake.random_time in hex. Currently I only managed to extract it
as unix time by doing that:
$ tshark -nr sniff.pcap -Y 'ssl.handshake.type == 1' -T fields -e ssl.handshake.random_time
Aug 2, 2016 17:00:11.000000000 CEST
Any hints how to obtain that?
I'm using tshark 1.12.1 which is packaged with Debian jessie. In
backports also 2.0.4 is available. But I'm also fine to compile
wireshark by myself.
Cheers,
Thomas
I am using an older version of Wireshark but it should work with new
versions as well. The trick is to not interpret the SSL data as SSL data
and then extract the time by position. It only works because the Random
field is in a fixed position.
$ for x in $(tshark -r test.pcap -R "ssl.handshake.type == 1" -T fields
-e frame.number); do echo -e $x "\t" $(tshark -r test -R "frame.number
== $x" -d tcp.port==443,echo -T fields -e echo.data | cut -c 34-44); done
78 57:7f:0f:22
111 57:7f:0f:22
146 57:7f:0f:23
225 f7:6c:83:81
364 57:7f:0f:2c
396 57:7f:0f:2c