I'm trying to dump decrypted PDUs from an RDP session running on a non standard port. I can decrypted the packets successfully. I need to post process the decrypted PCAP by export the PDUs to a new file using tshark, this is supported and I can get it working on the sample PCAP but not when it is running on a different port.
I think I'm missing an argument to tshark.
If I run the following command, tshark will dump decrypted packets for me.
tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390
If I run
tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390 "-U "OSI layer 7" -w decrypted.pcap
I think I should have those PDUs dumped to a new file. But I don't, the PCAP is empty. Now if I try basically the same command on the Wireshark sample data it works correctly. The file out.pcap is filled with my decrypted packets. Here is the command that works on the sample PCAP.
tshark.exe -r rdp-ssl.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.2.15,3389,tpkt,rdp-ssl.pcap.gz.cert.pem" -U "OSI layer 7" -w out.pcap
The command lines are near identical. I'm assuming i'm incorrectly setting the RDP port number. What's confusing is that without the OSI layer 7 export I can see if decrypted correctly on screen. I've used -o tpkt.tcp.port and -o rdp.tcp.port without success. Does anyone have any ideas?
Interestingly if I open the same pcap in Wireshark and use File->export PDUs it does work correctly. I really need to use tshark.
