Ask Your Question
0

tshark extract from 5 gig trace

asked 2020-02-29 16:35:45 +0000

quest4answer gravatar image

hello: I have 5 gig trace file and i need to extract all the streams which has below server name on tls handshake. is there a tshark command to create a new tracefile with only those streams or is there any other way to accomplish?

tls.handshake.extensions_server_name == "outlook.office365.com".

thanks

edit retag flag offensive close merge delete

Comments

"all the streams" does this mean individual TCP streams - all packets with the same tcp.stream number?

Could you make a pass through to collect those values based on the handshake string you showed then in a loop extract packets with the tcp.stream number as a filter?

Chuckc gravatar imageChuckc ( 2020-02-29 17:46:19 +0000 )edit

@SYN-bit is the tshark master:
SF19EU 07 - Solving (SharkFest) packet challenges using tshark alone (Sake Blok)
https://www.youtube.com/watch?v=PaUX5...

@NetDetect shrinking large files
SF19US - 08 Taking a bite out of 100GB files (Betty DuBois)
https://www.youtube.com/watch?v=olhr1...

Chuckc gravatar imageChuckc ( 2020-02-29 18:32:06 +0000 )edit

I meant all the packets with tcp.stream, which has server name =="outlook.office365.com". when i displayed with that filter there are 40 packets came up with client hello. basically i need to export all the packets comes in client hello conversation filters for all the 40 client hello. hoepfully thats clear now thanks

quest4answer gravatar imagequest4answer ( 2020-02-29 23:55:27 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-03-24 08:00:31 +0000

SYN-bit gravatar image

In a bash-like shell you can do:

tshark -r <file> -w <new-file> -Y "tcp.stream in { $(tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream | sort | uniq | xargs)"

Where tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream lists all the tcp.stream numbers of the client hellos that contain the requested SNI.

Then ... | sort | uniq | xargs creates a list of unique tcp.stream numbers

Then "tcp.stream in { $(<command>) }" creates a display filter based on the output of the previous command.

And of course tshark -r <file> -w <new-file> - Y <filter> saves a new pcap file with the filtered data.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-29 16:35:45 +0000

Seen: 328 times

Last updated: Mar 24 '20