# Revision history [back]

tshark and CyberChef

(Since this is a homework assignment this is not a complete solution but should get you there.)
You already know the field you need. For future reference, a list of vnc fields is available on the Display Filter Reference, output of tshark -G fields or inside Wireshark - View->Internals->Supported Protocols.

tshark -r "capture filename" -T fields -e "the field you want" will print the key values.

But it will also print an empty line for every frame/packet that does not contain the field.
The tshark man page shows that a display filter can be added to the end of the command [ <filter> ].

tshark -r "capture filename" -T fields -e "the field you want" "the field you want"
will only print the key values for packets that contain the field.

It looks like vnc sends two packets for each key press. To trim the output, enhance the display filter by adding another field that indicates either the key being pressed or the key being released.

tshark -r "filename" -T fields -e "the field you want" '"the field you want" && "some other field"'
It helps to put ticks ' or quotes " around the display filter when it contains spaces.

The output will be a list of hex numbers. The tshark man page section -G [ <report type> ] (specifically Header Fields) shows the attributes for each field:

Field 6 base for display (for integer types); "parent bitfield width" for FT_BOOLEAN

~$tshark -G fields | grep "the field you want" F Key "fieldname" FT_UINT32 vnc BASE_HEX 0x0 "field description"  Reading hex for ASCII digits is pretty easy - 0x30-0x39 is digits 0-9. Adding in the alphabet and other keys gets a bit more complicated. It's easier to just copy the hex information to CyberChef and let it do the translation. tshark and CyberChef (Since this is a homework assignment this is not a complete solution but should get you there.) You already know the field you need. For future reference, a list of vnc fields is available on the Display Filter Reference, output of tshark -G fields or inside Wireshark - View->Internals->Supported Protocols. tshark -r "capture filename" -T fields -e "the field you want" will print the key values. But it will also print an empty line for every frame/packet that does not contain the field. The tshark man page shows that a display filter can be added to the end of the command [ <filter> ]. tshark -r "capture filename" -T fields -e "the field you want" "the field you want" will only print the key values for packets that contain the field. It looks like vnc sends two packets for each key press. To trim the output, enhance the display filter by adding another field that indicates either the key being pressed or the key being released. tshark -r "filename" -T fields -e "the field you want" '"the field you want" && "some other field"' It helps to put ticks ' or quotes " around the display filter when it contains spaces. The output will be a list of hex numbers. The tshark man page section -G [ <report type> ] (specifically Header Fields) shows the attributes for each field: Field 6 base for display (for integer types); "parent bitfield width" for FT_BOOLEAN ~$ tshark -G fields | grep "the field you want"

F   Key  "fieldname"   FT_UINT32    vnc  BASE_HEX   0x0     "field description"


Reading hex for ASCII digits is pretty easy - 0x30-0x39 is digits 0-9. Adding in the alphabet and other keys gets a bit more complicated. It's easier to just copy the hex information to CyberChef and let it do the translation.

(For those that want to play along with the home game, a VNC sample capture is available in the wiki SampleCaptures or the wiki page for vnc)