TLS Handshake Ciphersuite: how to extract `showname` string using tshark?

SSL
Cipher

asked 2020-04-02 17:22:45 +0000

alohawireshark
7 ●4 ●4 ●7

I am trying to extract sensible information from the TLS header of a packet. Right now, I am using tshark and obtaining integer values, which for the example data below, would be 10. Is there a mapping between integers and cipher suites? for example:

int        cipher_suite
10         TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
...        ...
k          XYZ

Data:

 <field name="tls.handshake.ciphersuite" showname="Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)" size="2" pos="164" show="10" value="000a"/>

edit retag flag offensive close merge delete

Comments

How are you using tshark, please show the version and your command line arguments?

grahamb ( 2020-04-03 14:30:39 +0000 )edit

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2020-04-03 18:40:50 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

Is there a mapping between integers and cipher suites?

The answer to this question is "Yes". See https://www.iana.org/assignments/tls-...

You can also have a look at the value_string arrays and tables in the packet-tls-utils.c file to see how Wireshark and tshark perform these lookups.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-02 17:22:45 +0000

Seen: 654 times

Last updated: Apr 03 '20

TLS Handshake Ciphersuite: how to extract `showname` string using tshark? edit