I collected a brief exchange between an SSL client and server (openssl's s_client and s_server, to be exact), and want to view the ssl portions of the pcap file with tshark. I don't need to decrypt the encrypted portions, but at least would like to know the values in the unencrypted fields.
When copying the file from the server to my desktop I can open the pcap file with Wireshark and see the fields by default:
On the other hand, tshark -r tls_dump.pcap only displays up to the TCP portion of the packets. For example, for the same packet:
4 0.000069237 127.0.0.1 → 127.0.0.1 TCP 373 54312 → 44330 [PSH, ACK] Seq=1 Ack=1 Win=43776 Len=307 ...
I tried collecting the packets both with tcpdump -U -i lo 'port 44330' -w tls_dump.pcap and with tshark -nn -i lo -s 0 -w tls_dump.pcap port 44330 (as here), but when trying to view the packets the results are the same.
tshark options I tried:
-
-2has no effect -
-2R "ssl"shows nothing -
-Y "ssl"shows nothing -
-o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE"has no effect -
-T jsonshows only raw uninterpreted TCP payload data -
-Vshows only raw uninterpreted TCP payload data -
--printhas no effect -
--enable-protocol "ssl"has no effect -
--enable-heuristic "ssl"gives me aNo such protocol ssl, can't enableerror
How does one output SSL packet details of an SSL packet with tshark?
Best Answer
What worked in the end was specifying the port using
-d tcp.port==44330,ssl, thus my full command was:The reason this was necessary was due to some version-specific differences in Wireshark. My desktop had version
2.6.0, which was able to automatically detect the SSL protocol. The server had version2.4.6, which wasn't able to detect SSL and needed the port number to be specified.Only SSL packets can be printed with:
Only SSL packets in JSON format: