Hi, I need to decode an ssl stream from a pcap file and save the decoded stream to a new pcap file. I use http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz cap and key from http://wiki.wireshark.org/SSL for test. So with command:
tshark -n -d tcp.port==443,http -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,443,http,/snakeoil2_070531/rsasnakeoil2.key" -r /snakeoil2_070531/rsasnakeoil2.cap
tshark print on screen the testual version of decoded packets in right way. Now I need to save the real packets (not text) decoded (ssl->http) to a new file.
Using -w option tshark saves the same packet dunp that it reads (rsasnakeoil2.cap) to another file (test.pcap). The two files are equal.
tshark -n -d tcp.port==443,http -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,443,http,/snakeoil2_070531/rsasnakeoil2.key" -r /snakeoil2_070531/rsasnakeoil2.cap -w test.cap.
I can't understand why tshark can't save the decoded ssl traffic to another file. Help Me.
Detail of my wireshark version: wireshark 1.4.4
Copyright 1998-2011 Gerald Combs firstname.lastname@example.org and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 2.22.1, with GLib 2.26.1, with libpcap 1.1.1, without libz, with POSIX capabilities (Linux), without libpcre, without SMI, without c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.10.4, with Gcrypt 1.4.6, with Heimdal Kerberos, without GeoIP, without PortAudio, without AirPcap.
Running on Linux 2.6.37-ARCH, with libpcap version 1.1.1, GnuTLS 2.10.5, Gcrypt 1.4.6.
Built using gcc 4.5.2 20110127 (prerelease).
asked 03 Apr '11, 14:28
Wireshark and tshark can't save decrypted data back into a new pcap file.
The best thing you can do is add -V (full decodes) to your tshark command and redirect the output to a text file and supply that with the pcap file.
Please also have a look at feature request 3444, in which the same question was asked.
answered 03 Apr '11, 14:36