I collected a brief exchange between an SSL client and server (openssl's s_client
and s_server
, to be exact), and want to view the ssl portions of the pcap file with tshark
. I don't need to decrypt the encrypted portions, but at least would like to know the values in the unencrypted fields.
When copying the file from the server to my desktop I can open the pcap file with Wireshark and see the fields by default:
On the other hand, tshark -r tls_dump.pcap
only displays up to the TCP portion of the packets. For example, for the same packet:
4 0.000069237 127.0.0.1 → 127.0.0.1 TCP 373 54312 → 44330 [PSH, ACK] Seq=1 Ack=1 Win=43776 Len=307 ...
I tried collecting the packets both with tcpdump -U -i lo 'port 44330' -w tls_dump.pcap
and with tshark -nn -i lo -s 0 -w tls_dump.pcap port 44330
(as here), but when trying to view the packets the results are the same.
tshark
options I tried:
-
-2
has no effect -
-2R "ssl"
shows nothing -
-Y "ssl"
shows nothing -
-o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE"
has no effect -
-T json
shows only raw uninterpreted TCP payload data -
-V
shows only raw uninterpreted TCP payload data -
--print
has no effect -
--enable-protocol "ssl"
has no effect -
--enable-heuristic "ssl"
gives me aNo such protocol ssl, can't enable
error
How does one output SSL packet details of an SSL packet with tshark
?
Best Answer
What worked in the end was specifying the port using
-d tcp.port==44330,ssl
, thus my full command was:The reason this was necessary was due to some version-specific differences in Wireshark. My desktop had version
2.6.0
, which was able to automatically detect the SSL protocol. The server had version2.4.6
, which wasn't able to detect SSL and needed the port number to be specified.Only SSL packets can be printed with:
Only SSL packets in JSON format: