Exporting PDUs fails on a different port
I'm trying to dump decrypted PDUs from an RDP session running on a non standard port. I can decrypted the packets successfully. I need to post process the decrypted PCAP by export the PDUs to a new file using tshark, this is supported and I can get it working on the sample PCAP but not when it is running on a different port.
I think I'm missing an argument to tshark.
If I run the following command, tshark will dump decrypted packets for me.
tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390
If I run
tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390 -U "OSI layer 7" -w decrypted.pcap
I think I should have those PDUs dumped to a new file. But I don't, the PCAP is empty. Now if I try basically the same command on the Wireshark sample data it works correctly. The file out.pcap is filled with my decrypted packets. Here is the command that works on the sample PCAP.
tshark.exe -r rdp-ssl.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.2.15,3389,tpkt,rdp-ssl.pcap.gz.cert.pem" -U "OSI layer 7" -w out.pcap
The command lines are near identical. I'm assuming i'm incorrectly setting the RDP port number. What's confusing is that without the OSI layer 7 export I can see if decrypted correctly on screen. I've used -o tpkt.tcp.port and -o rdp.tcp.port without success. Does anyone have any ideas?
Interestingly if I open the same pcap in Wireshark and use File->export PDUs it does work correctly. I really need to use tshark.
Update: Sample PCAP
I've uploaded a sample here: https://github.com/robeving/SampleRDP.... PCAP and key are safe for sharing.
I've tested and PDUs are exported with Wireshark correctly using the supplied key. I think the following command should work with tshark but doesn't.
tshark.exe -r .\sample.pcapng -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:92.82.236.10,3390,tptk,test.key" -o tpkt.tcp.port:3390 -U "OSI layer 7" -w out.pcapng
I can however see successful decryption with:
tshark.exe -r sample.pcapng -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:92.82.236.10,3390,tptk,test.key" -o tpkt.tcp.port:3390
tshark version?
Does adding a "Decode As..." argument help, e.g.
-d tcp.port==3390.tpkt?tshark version 3.2.2 I have also confirmed with 2.6.10 and a few in-between.
Adding '-d tcp.port==3390,tpkt' does not help
The middle example has an extra
"before the-U.I ran the sample file from the wiki through TraceWrangler changing port 3389 to port 3390. The
tsharkextract worked fine.That extra " was a typo. Can you share how you used tracewrangler to change the port.
Worth saying i'm happy to share the PCAP and key privately
TraceWrangler TCP Ports
I cleared the check boxes on the Payload action and changed all the other actions to Passthrough.
In Layer 4 (TCP), do Replace TCP ports by list
I'll need to talk to Alice and Bob before looking at the files. :-)
Interesting. My PCAP fails to decrypt after running it through TraceWrangler. The packet with the ClientHello is broken up and not parsed correctly.
Were you changing the port from 3390 to 3389?
Yes, just changing the port number
I've uploaded a sample here: https://github.com/robeving/SampleRDP.... PCAP and key are safe for sharing.
I've tested and PDUs are exported with Wireshark correctly using the supplied key. I think the following command should work with tshark but doesn't.
I can however see successful decryption with:
Typo in the keys option:
tptk->tpktYep your right that was a type. Correcting it makes things worse! The pcap isn't even decrypted.x