This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

centos tshark -o ssl.keylog_file unknown preference

0

I'm on CentOS 6.4 and followed the instructions at http://unix.stackexchange.com/a/192567 in order to get wireshark 1.12.4 running. the installation seems to be successful and tshark -v shows version 1.12.4.

when I run the command

tshark -r mypcap.pcapng -o "ssl.keylog_file:keylog.txt" -qz follow,ssl,ascii,1 > "ssl.stream.1.txt"

i get the error

tshark -o "ssl.keylog_file:keylog.txt" unknown preference

did I miss something? why is the preference unknown?

asked 21 May '15, 04:18

divadpoc's gravatar image

divadpoc
6112
accept rate: 0%

Show us all of the tshark -v output. Does it include support for SSL?

(21 May '15, 06:12) Jaap ♦

One Answer:

0

I think I figured it out, with the help from https://ask.wireshark.org/questions/10805/ssl-decode

I added the following dependencies:

yum install -y gnutls gnutls-devel openssl openssl-devel crypto-utils

and had to call configure with "--with-ssl"

./configure --with-gtk2 --with-ssl

If I got something wrong please correct me, but for now it's working

answered 21 May '15, 06:18

divadpoc's gravatar image

divadpoc
6112
accept rate: 0%

Yeah, that should do it. Except that you don't (AFAIK) need openssl/openssl-devel/--with-ssl . gnutls is sufficient.

(21 May '15, 07:41) JeffMorriss ♦
1

So your initial build was without SSL support, therefore that instance of tshark did not understand the preference ssl.keylog_file. This is because the code that registers that preference does not get build when the required conditions are not met, ie. the build is not configured for the required libraries.

(21 May '15, 07:46) Jaap ♦

thanks for the infos. @JeffMorriss I'll try without openssl at some point. @Jaap, I didn't know I had to tell him explicitly that I want --with-ssl

(28 May '15, 00:05) divadpoc