This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark parameter for filtering by given ip and decode it using ssl

0

Which parameters I have to provide to tshark to filter IP packets from a specific IP address (in wireshark I use ip.src == xxx.yyy.zzz.nnn) and which parameters I need to provide to decode these packets using ssl, to do it in wireshark I use the "decode as" and in "Transport tab" I set SSL. The packages, although encoded using ssl, not come from a https connection.

How can I write the content of all decoded and filtered packets to a file or to stdout ?

Update: I have tried tshark n -o ssl.keylog_file:/tmp/master.txt -Y ip.src==xxx.yyy.nnn.mmm -d tcp.port==0-999999,ssl I see this Capturing on 'eth0'

6540 56.156992382 xxx.yyy.nnn.mmm -> 192.168.1.2 TCP 74 7072 → 49188 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1380 WS=256 SACK_PERM=1 TSval=603635523 TSecr=10839353
6546 56.291147285 xxx.yyy.nnn.mmm -> 192.168.1.2 TCP 1434 [TCP segment of a reassembled PDU]
6548 56.293045394 xxx.yyy.nnn.mmm -> 192.168.1.2 TCP 1434 [TCP segment of a reassembled PDU]
6550 56.294313103 xxx.yyy.nnn.mmm -> 192.168.1.2 TLSv1 1300 Server Hello, Certificate, Server Hello Done
6560 56.343469786 xxx.yyy.nnn.mmm -> 192.168.1.2 TLSv1 125 Change Cipher Spec, Encrypted Handshake Message
6575 56.785954188 xxx.yyy.nnn.mmm -> 192.168.1.2 TLSv1 231 Application Data

How can I dump the packet content as "Follow stream" in wireshark already does ?

This question is marked "community wiki".

asked 31 Dec '15, 04:44

famedoro's gravatar image

famedoro
11236
accept rate: 0%

edited 13 Jan '16, 06:40

grahamb's gravatar image

grahamb ♦
19.8k330206

You should really create a different question for your new problem, as other readers now won't be able to follow your original question and my answers to those questions. In addition, if my answer has solved your original issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer.

This is a Q&A site, not a forum, please see the FAQ for more info.

(13 Jan '16, 06:43) grahamb ♦

@grahamb I'm sorry, I have posted a new question on https://ask.wireshark.org/questions/49141/how-to-show-ssl-decrypted-packet-content

(13 Jan '16, 06:47) famedoro

One Answer:

1

The answers to your multiple questions are (hopefully) shown below:

  1. The filter "ip.src == ..." is a display filter, so you should use the -Y display filter option, e.g. -Y ip.src == 1.2.3.4
  2. To set a decode as setting, use the -d option, e.g. -d tcp.port==8888,ssl to decode tcp traffic on port 8888 as ssl.
  3. To write the output to a file, redirect the output of the command to the required file, e.g. tshark -Y ... -d ... > myfile.txt

You may need to quote some arguments depending on the shell you're using.

answered 31 Dec '15, 09:00

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for your response, using -d tcp.port==8888,ssl I decode only traffic on port 8888 as ssl, but I need to decode all the traffic from a specific ip .

(02 Jan '16, 04:26) famedoro

I'm not aware of any method using tshark or Wireshark to decode all traffic from a particular IP as another protocol. You can use a port range in the tcp.port selector, e.g. -d tcp.port==8888:3,ssl to select the 3 ports 8888, 8889, 8890, or -d tcp.port==8888-8890,ssl to specify the extents of the port range.

You can also list all the selectors available using -d .

(02 Jan '16, 08:30) grahamb ♦

Possibly that version's too old. I don't have that version to check the possible arguments for you. Check the possible arguments with tshark --help

(12 Jan '16, 11:29) grahamb ♦