Ask Your Question

tshark SSH Packets Encrypted After Saving to File

asked 2022-08-23 19:11:28 +0000

haverland389 gravatar image

I am trying to collect SSH packets on a file transfer server so that I can tell who would be affected by a reduced cipher list. I am using dumpcap to gather certain packets...

H:\>"D:\Program Files\Wireshark\dumpcap.exe" -i Ethernet0 -f "port 22 && dst host" -w D:\SFTPCapture\serverA.pcapng -b files:3 -b duration:300 -n

... Then I am using tshark to further filter and save the packets that I need that tell me what ciphers the client is able to use...

H:\>"D:\Program Files\Wireshark\tshark.exe" -r "D:\SFTPCapture\serverA_00019_20220823122517.pcapng" -Y "(ssh.message_code == 20) && (ssh.direction == 0)" -w "D:\SFTPCapture\test.pcapng"

... When I omit -w <outfile>, I can see in Command Prompt the packets as I would expect. In addition, I can open "D:\SFTPCapture\serverA_00019_20220823122517.pcapng" in Wireshark, filter the packets, and save the desired packets as expected. The issue is the when saving the output from tshark using -w <outfile>, all of the packets say that they are encrypted. What is stranger still is that if I omit "ssh.message_code == 20) && " from the filter, the packets are no longer encrypted, but I end up with more packets than I need.

How do I save the filtered packets to a pcapng file so that ssh message 20 is still human readable and I can tell what ciphers the clients are using?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-08-23 20:35:00 +0000

Jaap gravatar image

You'll need to store the packets with the SSH protocol exchange as well for the dissector to be able to make sense of this.

What you could do is filter out the first part of the TCP stream, say with tcp.seq < 1500

edit flag offensive delete link more


(ssh.protocol or (ssh.message_code == 20)) && (ssh.direction == 0)

Chuckc gravatar imageChuckc ( 2022-08-24 03:54:27 +0000 )edit

@Chuckc That should do it as well, thanks for looking that up.

Jaap gravatar imageJaap ( 2022-08-24 08:09:34 +0000 )edit

Thank you. Both filters retained the data I need to collect. Unfortunately, they keep a lot more packets than I need and I need to collect packets for at least a week due to the frequency of how often some accounts log into the file transfer server. Is this about the only way to save out a pcapng and retain the data?

At this time, I am outputting the data in JSON format and then doing some additional manipulation to create and load objects in PowerShell. This is also retaining the data that I need, but seems more "hacky".

Current tshark command...

"D:\Program Files\Wireshark\tshark.exe" -r "D:\SFTPCapture\serverA_00038_20220823140023.pcapng" -Y "(ssh.message_code == 20) && (ssh.direction == 0)" -T json >> "D:\SFTPCapture\collection.json"
haverland389 gravatar imagehaverland389 ( 2022-08-24 13:40:02 +0000 )edit

Yes, this is the only way to save a pcapng file and allow for human readable dissection when loaded again. If you are worried about file size, you should be able to spool these through gzip to get highly compressed versions of it, which can be directly read into Wireshark if needed.

Jaap gravatar imageJaap ( 2022-08-24 14:43:02 +0000 )edit

How much smaller could you make it if you only collect the fields needed in your later processing step?
-T json will accept the -e option to specify fields. (tshark man page

-e <field>
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected. This option can be used multiple times on the command line.
Chuckc gravatar imageChuckc ( 2022-08-25 00:12:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2022-08-23 19:11:28 +0000

Seen: 316 times

Last updated: Aug 23 '22