tshark capture filter with live ssl decryption

asked 2018-12-27 11:05:11 +0000

Wallboy gravatar image

I'm capturing a single HTTP GET request with the following command:

tshark -c 1 -f "port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420" -w "/path/to/file.pcapng"

This works great and tshark exits immediately after the single packet, but now I'd like to also do the same with HTTPS if possible. Changing the capture filter port from 80 to 443 has no effect in capturing anything. I do have a pre-master-secret setup working just fine, but I'm guessing the decryption only happens when reading the pcapng file back and not with live capturing.

Any other possibilities I could try?

edit retag flag offensive close merge delete