Ask Your Question

Exporting PDUs fails on a different port

asked 2020-03-27 17:59:17 +0000

acid2000 gravatar image

updated 2020-03-28 09:23:38 +0000

I'm trying to dump decrypted PDUs from an RDP session running on a non standard port. I can decrypted the packets successfully. I need to post process the decrypted PCAP by export the PDUs to a new file using tshark, this is supported and I can get it working on the sample PCAP but not when it is running on a different port.

I think I'm missing an argument to tshark.

If I run the following command, tshark will dump decrypted packets for me.

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,3390,tptk,x509.pem" -o tpkt.tcp.port:3390

If I run

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,3390,tptk,x509.pem" -o tpkt.tcp.port:3390 -U "OSI layer 7" -w decrypted.pcap

I think I should have those PDUs dumped to a new file. But I don't, the PCAP is empty. Now if I try basically the same command on the Wireshark sample data it works correctly. The file out.pcap is filled with my decrypted packets. Here is the command that works on the sample PCAP.

tshark.exe -r rdp-ssl.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,3389,tpkt,rdp-ssl.pcap.gz.cert.pem" -U "OSI layer 7" -w out.pcap

The command lines are near identical. I'm assuming i'm incorrectly setting the RDP port number. What's confusing is that without the OSI layer 7 export I can see if decrypted correctly on screen. I've used -o tpkt.tcp.port and -o rdp.tcp.port without success. Does anyone have any ideas?

Interestingly if I open the same pcap in Wireshark and use File->export PDUs it does work correctly. I really need to use tshark.

Update: Sample PCAP

I've uploaded a sample here: PCAP and key are safe for sharing.

I've tested and PDUs are exported with Wireshark correctly using the supplied key. I think the following command should work with tshark but doesn't.

tshark.exe -r .\sample.pcapng -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,3390,tptk,test.key" -o tpkt.tcp.port:3390 -U "OSI layer 7" -w out.pcapng

I can however see successful decryption with:

tshark.exe -r sample.pcapng -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,3390,tptk,test.key" -o tpkt.tcp.port:3390
edit retag flag offensive close merge delete


tshark version?

Does adding a "Decode As..." argument help, e.g. -d tcp.port==3390.tpkt?

grahamb gravatar imagegrahamb ( 2020-03-27 19:02:28 +0000 )edit

tshark version 3.2.2 I have also confirmed with 2.6.10 and a few in-between.

acid2000 gravatar imageacid2000 ( 2020-03-27 19:08:08 +0000 )edit

Adding '-d tcp.port==3390,tpkt' does not help

acid2000 gravatar imageacid2000 ( 2020-03-27 19:08:33 +0000 )edit

The middle example has an extra " before the -U.
I ran the sample file from the wiki through TraceWrangler changing port 3389 to port 3390. The tshark extract worked fine.

Chuckc gravatar imageChuckc ( 2020-03-27 22:47:40 +0000 )edit

That extra " was a typo. Can you share how you used tracewrangler to change the port.

acid2000 gravatar imageacid2000 ( 2020-03-27 23:36:34 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2020-03-30 09:01:44 +0000

acid2000 gravatar image
tshark.exe -r sample.pcapng -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,3390,,test.key" -U "OSI layer 7" -w out.pcapng
edit flag offensive delete link more


worth mentioning that this is broken on most version of tshark you'll encounter. I needed to use the latest build.

acid2000 gravatar imageacid2000 ( 2020-03-30 09:58:00 +0000 )edit

Even more annoying. Decrypting works on a Windows box but fails on a Linux box. Same version. There are some deep problems with this functionality.

acid2000 gravatar imageacid2000 ( 2020-03-30 10:42:08 +0000 )edit

I think tshark is picking up the configuration file for Wireshark where the correct parameters are set. Moving the configuration to Linux does not help

acid2000 gravatar imageacid2000 ( 2020-03-30 13:28:06 +0000 )edit

answered 2020-03-28 19:11:04 +0000

grahamb gravatar image

updated 2020-03-28 19:11:18 +0000

There are a number of observations for this question, look at the answer from @Lekensteyn here.

edit flag offensive delete link more


The problem here isn't decrypting packets. The problem is PDU export using tshark.

acid2000 gravatar imageacid2000 ( 2020-03-28 19:23:12 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-03-27 17:59:17 +0000

Seen: 400 times

Last updated: Mar 30 '20