This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decode SSL Decimal fields in tshark output

0

Hi All, I am trying to list all supported ciphersuites during the SSL client hello by running the capture thru tshark. The query is fine, but the values coverted to decimal. Is there a way tshark can convert them to ascii so that I can see the TLS versions and ciphersuite names instead? Here is my command:

tshark -r SSLCapture.cap -V -2R ssl.handshake.type==1 -T fields -e ssl.handshake.version -e ssl.handshake.ciphersuite Output:: 769 47,53,5,10,49171,49172,49161,49162,50,56,19,4

769 = 0x0301 which is TLS 1.0 so can I display TLSv1 in tshark?

5 = 0x0005 which is TLS_RSA_WITH_RC4_128_SHA, and so forth.....

Thanks in advance for your help!

asked 01 Nov '14, 20:57

StriclyFlava's gravatar image

StriclyFlava
1222
accept rate: 0%

One Answer:

0

You can use thsark in the following way

tshark -nr ssl_example.pcap -Y "ssl.handshake.ciphersuites" -Vx > ssl.output.txt

Sample output:

Secure Sockets Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
            Random
                GMT Unix Time: Jun 28, 2097 09:17:21.000000000 W. Europe Daylight Time
                Random Bytes: 577f9fb99f0e042633046e9b969fd957b903edb4bbb77449...
            Session ID Length: 32
            Session ID: 888489fa25a177efb30c21cc89b6e447ae680357a0b762b6...
            Cipher Suites Length: 32
            Cipher Suites (16 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

Then use a script (perl/python/whatever) to extract the information you need, like:

   Version: TLS 1.0 (0x0301)

or

   Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
   Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
   Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

Regards
Kurt

answered 02 Nov '14, 04:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%