Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-12-29 15:49:10 +0000

Chuckc gravatar image

Maybe a pre-processing step with tshark then store them as Display Filter Macros.

p$ TARGET="crypt"
p$ tshark -r ./rsa_decrypt.pcapng -T pdml | grep "field name" | cut -f 2 -d '"' | grep $TARGET | sort | uniq | awk '{print'} ORS=' or '
x509af.encrypted or p$

p$ TARGET="connection"
p$ tshark -r ./rsa_decrypt.pcapng -T pdml | grep "field name" | cut -f 2 -d '"' | grep $TARGET | sort | uniq | awk '{print'} ORS=' or '
tcp.connection.syn or tcp.connection.synack or p$

image description image description

Maybe a pre-processing step with tshark then store them as Display Filter Macros.
You could also open an Enhancement Request on the Wireshark Gitlab Issues page.

p$ TARGET="crypt"
p$ tshark -r ./rsa_decrypt.pcapng -T pdml | grep "field name" | cut -f 2 -d '"' | grep $TARGET | sort | uniq | awk '{print'} ORS=' or '
x509af.encrypted or p$

p$ TARGET="connection"
p$ tshark -r ./rsa_decrypt.pcapng -T pdml | grep "field name" | cut -f 2 -d '"' | grep $TARGET | sort | uniq | awk '{print'} ORS=' or '
tcp.connection.syn or tcp.connection.synack or p$

image description image description