TShark - Get entire decrypted TLS output

asked 2022-05-18 02:27:27 +0000

am17an gravatar image


I'm using tshark with tls.keylog_file option to decrypt my websocket TLS stream. After I run it through tshark, I get a layer 'DATA-TEXT-LINES' which contains the decrypted data. However, this data seems truncated, as I see through the wireshark GUI which has the full decrypted data. I searched through the forums where someone suggested changing ITEM_LABEL_LENGTH in epan/proto.h . So I did that and rebuilt from source, however that also doesn't seem to help.

Any help would be appreciated. I'm using version 3.6.5

edit retag flag offensive close merge delete


Are you using the same profile with tshark as wireshark. See -C on the tshark man page.

Do you have a specific example: "It's x bytes/characters long in the gui but only z long with tshark."

Text lines that are truncated should be marked as being [truncated].

Line-based text data (6 lines)
    dolore eu feugiat nulla facilisis (snip)
    consectetuer adipiscing elit, sed diam (snip)
     [truncated]Ut wisi enim ad minim veniam, (snip)
     [truncated]Nam liber tempor cum soluta (snip)
    Duis autem vel eum iriure dolor in (snip)
    At vero eos et accusam et justo duo (snip)
Chuckc gravatar imageChuckc ( 2022-05-18 13:39:55 +0000 )edit