This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to extract Hex data from SSL

0

Hello, i want to extract the hex data from this SSL but when i type tshark -Vnr -r pcap -R (filter) > textfile i only get the details of the pcap without the hex part so i want to know if there is a way to extract the hex data with the details not the details only, i don't want to decrypt or anything i just want to extract it to a plain text, thanks.!

asked 30 Sep '13, 04:35

Ziad%20Kiwan's gravatar image

Ziad Kiwan
21338
accept rate: 0%

i want to extract the hex data from this SSL

do you mean the decrypted payload?

(30 Sep '13, 07:00) Kurt Knochner ♦

when you open the pcap file using wireshark you see the detailed information and the hex information i want to retrieve them "all" using tshark is there a way ?

(30 Sep '13, 07:02) Ziad Kiwan

So, you need the 'raw' TCP payload, regardless of SSL decryption?

(30 Sep '13, 07:08) Kurt Knochner ♦

exactly! i want the raw data

(30 Sep '13, 07:09) Ziad Kiwan

2 Answers:

0

Have you tried using the "-x" command line option?

In your case:

tshark -Vnxr pcap -R (filter) > textfile

answered 30 Sep '13, 13:42

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

sorry i'm not that good in wireshark and tshark what does vnxr do ?

(30 Sep '13, 13:51) Ziad Kiwan

I added the "-x" option to the options you already mentioned in your original question, as that option adds the output of the hex dump.

$ tshark -h | fgrep -e " -V" -e " -x" -e " -r" -e " -n"
  -r <infile>              set the filename to read from (no pipes or stdin!)
  -n                       disable all name resolutions (def: all enabled)
  -V                       add output of packet tree        (Packet Details)
  -x                       add output of hex and ASCII dump (Packet Bytes)
$
(30 Sep '13, 14:22) SYN-bit ♦♦

okay thanks for the information, that something good to learn!

(01 Oct '13, 04:53) Ziad Kiwan

0

exactly! i want the raw data

O.K. please check these similar questions:

see my (last) comment regarding disabling protocols to get the payload!

http://ask.wireshark.org/questions/12431/how-to-add-data-length-column-in-wireshark-display-or-plot-payload-length-vs-packet-no

also here

http://ask.wireshark.org/questions/23827/get-tcp-and-udp-payloads-with-tshark

and here

http://ask.wireshark.org/questions/16592/tcp-stream-output-in-pdml-format
http://ask.wireshark.org/questions/16268/how-do-i-extract-all-the-data-sections
http://ask.wireshark.org/questions/15374/dump-raw-packet-data-field-only

Regards
Kurt

answered 30 Sep '13, 07:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Sep '13, 07:17

can i apply a a filter in this and it will keep working ? i saw this before and tried it and the data stayed the same

(30 Sep '13, 07:29) Ziad Kiwan

can i apply a a filter in this and it will keep working ?

what do you mean? Which filter?

(30 Sep '13, 07:55) Kurt Knochner ♦

its not working i'm not getting the ssl hex data out of the pcap using any of the methods you suggested, about the filter i use a filter to filter the pcap's and then i add them in a plain text

(30 Sep '13, 13:37) Ziad Kiwan