Ask Your Question
0

Secure websocket with Tshark over live capture

asked 2019-06-29 06:30:49 +0000

iulian gravatar image

updated 2019-06-29 10:49:18 +0000

grahamb gravatar image

Hi,

So I've been able to decode a live capture WSS over HTTPS (of course) with Wireshark but it seems that TShark is not capable of doing so unless I am doing something wrong.

Here is how I am running it but the output is empty

C:\Program Files\Wireshark>tshark.exe -i 4 -o tls.keylog_file:C:\Users\iulian\Desktop\ssl.txt -o tls.desegment_ssl_records:TRUE -o tls.desegment_ssl_application_data:TRUE -d tcp.port==443,tls -Y websocket

Best,

-iulian

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-01 09:29:43 +0000

SYN-bit gravatar image

Do you use a non-default profile in Wireshark, if so, you might need to add -C <profile-name> to your tshark command to have it behave the same as Wireshark.

Without specifying a profile I would add -o tcp.desegment_tcp_streams:TRUE to your command to make sure TCP allows reassembly by the TLS dissector.

Does either of these suggestions make WSS decryption work for you with tshark?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-06-29 06:30:49 +0000

Seen: 142 times

Last updated: Jul 01