Saving an NVMe-over-TCP with TLS trace after decryption
Hi,
I am trying to save an NVMe-over-TCP with TLS trace after decryption. I have applied the "try Heuristic Dissectors first" option along with the tlskeylogfile via the TLS pre-master secret logfile option and see NVMe-over-TCP packets being decoded. Is there a way to export and save the decrypted portion of the trace as a pcap ? I tried the export PDU option however this only saves the PDU portion of the trace and the export packet dissections option also does not have a pcap option.
Thanks Sekar
There are several options in the "Export PDU" filter, which one did you try?
What do you mean by "save the decrypted portion of the trace as a pcap" and "this only saves the PDU portion of the trace?"
If you want something like "a capture with the original Ethernet, IP, and TCP headers, but with the TLS layer removed and unencrypted bytes of payload, as if the original capture were NVMe-over-TCP without TLS," that's not easily possible. Decrypting changes the length of the payload and the values expected for the TCP checksum and the TCP sequence number, and TLS records might be fragmented across various TCP segments and IP packets. There's no facility in Wireshark to change the payload and then fix up all the values in the TCP header that would no longer be correct.
Thanks. I tried L7 and L4 for Export PDU. I see the NVMe/TCP packets there but I guess this is still fragmented and thus not seeing NVMe commands inside of the NVMe/TCP being decoded. Since we are using this mainly for development purposes to easily decode traces, I was hoping there was a way to do this easily as there are Wireshark appears to be the only tool that can even do NVMe/TCP with TLS.