This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decryption with tshark in PowerShell

0

Hi all

I'm trying to automate the decryption of a trace with PowerShell and tshark. I have something like this:

$SSLOptions=" -o ssl.desegment_ssl_records:TRUE -o ssl.desegment_ssl_application_data:TRUE -o ssl.keylog_file:C:\FilesToAnalyze\ssltest.sslkeys"

Thing is that, if I run the whole command: ./tshark -r c:\FilesToAnalyze\ssltest.cap -o ssl.desegment_ssl_records:TRUE -o ssl.desegment_ssl_application_data:TRUE -o ssl.keylog_file:C:\FilesToAnalyze\ssltest.sslkeys

works fine. But, if I run instead

./tshark -r c:\FilesToAnalyze\ssltest.cap $SSLOptions

Fails with the following error:

./tshark : tshark: "ssl.desegment_ssl_records:TRUE" was unexpected in this context. At line:1 char:1 + ./tshark -r "c:\FilesToAnalyze\ssltest.cap" $SSLOptions + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (tshark: "ssl.de...n this context.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError

Any idea? I tested using double quotes, simple quotes, changing the order of the arguments... I have other scripts where I'm passing variables as filters or options, but I don;t know why is not working specificalyl when I use the -o option.

Thanks in advance!!

Osito

asked 26 Sep '17, 08:38

osito's gravatar image

osito
0336
accept rate: 50%


One Answer:

1

This is more a Powershell question than a Wireshark one, but here it goes. Powershell apparently interprets that as passing a single argument containing the contents of that string rather than multiple arguments for each.

A solution is to store each separate argument in an array element and use @SSLOptions instead of $SSLOptions. It works for me with Powershell 2.0 on Windows 7 x64:

$file="some.pcap"
[email protected](
"-ossl.desegment_ssl_records:TRUE",
"-ossl.desegment_ssl_application_data:TRUE",
"-ossl.keylog_file:C:\FilesToAnalyze\ssltest.sslkeys"
)

& tshark -r $file @SSLOptions

Take also advantage of the fact that tshark treats -o option: value the same as -ooption:value, that requires less array elements.

See also:

answered 26 Sep ‘17, 17:17

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Hi Lekensteyn

Thanks very much for your answer, works like a charm now!! :) :)

Good to know that -o option is the same as -ooption, saves me a lot of work. And for the links, my PowwerShell is still very basic and they are interesting.

Cheers, Osito

(27 Sep ‘17, 00:09) osito