hello: I have 5 gig trace file and i need to extract all the streams which has below server name on tls handshake. is there a tshark command to create a new tracefile with only those streams or is there any other way to accomplish?
tls.handshake.extensions_server_name == "outlook.office365.com".
thanks
In a bash-like shell you can do:
tshark -r <file> -w <new-file> -Y "tcp.stream in { $(tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream | sort | uniq | xargs)"
Where tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream lists all the tcp.stream numbers of the client hellos that contain the requested SNI.
Then ... | sort | uniq | xargs creates a list of unique tcp.stream numbers
Then "tcp.stream in { $(<command>) }" creates a display filter based on the output of the previous command.
And of course tshark -r <file> -w <new-file> - Y <filter> saves a new pcap file with the filtered data.
Asked: 2020-02-29 16:35:45 +0000
Seen: 333 times
Last updated: Mar 24 '20
"all the streams" does this mean individual TCP streams - all packets with the same
tcp.streamnumber?Could you make a pass through to collect those values based on the handshake string you showed then in a loop extract packets with the
tcp.streamnumber as a filter?@SYN-bit is the tshark master:
SF19EU 07 - Solving (SharkFest) packet challenges using tshark alone (Sake Blok)
https://www.youtube.com/watch?v=PaUX5...
@NetDetect shrinking large files
SF19US - 08 Taking a bite out of 100GB files (Betty DuBois)
https://www.youtube.com/watch?v=olhr1...
I meant all the packets with tcp.stream, which has server name =="outlook.office365.com". when i displayed with that filter there are 40 packets came up with client hello. basically i need to export all the packets comes in client hello conversation filters for all the 40 client hello. hoepfully thats clear now thanks