tshark (on windows) outputing SSIDs as encoded numbers (not ASCII)
I have some automated processes that use tshark to extract SSIDs from pcaps.
On linux (and previous versions on Windows) the SSIDs are extracted OK as ASCII strings.
On Windows however, they appear to be encoded with each character encoded as a 2-digit hex value.
Is there a way I can configure the tshark command to output ASCII directly?
Example:
c:\Program Files\Wireshark>tshark.exe -r "c:\temp\scan_1695301875123.pcap" -T fields -e wlan.ssid
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
646f6e745f6576656e5f7468696e6b5f6974
The expected output, as seen on Linux:
[bob@localhost ~]$ tshark -r scan_1695301875123.pcap -T fields -e wlan.ssid
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
dont_even_think_it
i.e. :
4c696e6b7379733031363734 = "Linksys01674" in ASCII
c:\Program Files\Wireshark>tshark.exe -version
TShark (Wireshark) 4.2.0 (v4.2.0-0-g54eedfc63953).
Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with libpcap, with zlib 1.3.0, with PCRE2, with Lua 5.2.4
(with UfW patches), with GnuTLS 3.7.9 and PKCS #11 support, with Gcrypt
1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0, with
nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.11.5, with libsmi 0.5.0, with binary plugins.
Running on 64-bit Windows 11 (22H2), build 22621, with 13th Gen Intel(R)
Core(TM) i7-1360P (with SSE4.2), with 16068 MB of physical memory, with GLib
2.78.0, with Npcap version 1.78, based on libpcap version 1.10.4, with PCRE2
10.42 2022-12-11, with c-ares 1.19.0, with GnuTLS 3.7.9, with Gcrypt
1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.5.2, with LC_TYPE=English_United States.utf8, binary
plugins supported.
c:\Program Files\Wireshark>
c:\Program Files\Wireshark>tshark.exe -version
TShark (Wireshark) 4.2.0 (v4.2.0-0-g54eedfc63953).
Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with libpcap, with zlib 1.3.0, with PCRE2, with Lua 5.2.4
(with UfW patches), with GnuTLS 3.7.9 and PKCS #11 support, with Gcrypt
1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0, with
nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.11.5 ...
Can you update question with output of
tshark -vandtshark.exe -v.TShark (Wireshark) 4.2.0 (v4.2.0-0-g54eedfc63953).
TShark (Wireshark) 3.4.10 (Git commit 733b3a137c2b) [for linux]
Thanks!
I'm able to recreate with 4.2.0 on Windows using File: Network_Join_Nokia_Mobile.pcap.
epan/dissectors/packet-ieee80211.c:
{&hf_ieee80211_tag_ssid, {"SSID", "wlan.ssid", FT_BYTES, BASE_SHOW_UTF_8_PRINTABLE, NULL, 0, "Indicates the identity of an ESS or IBSS", HFILL }},There have been some changes to the field:
6244: ieee80211: Handle UTF-8 SSIDs and unspecified charsets