Revision history [back]

Exporting PDUs fails on a different port

I'm trying to dump decrypted PDUs from an RDP session running on a non standard port. I can decrypted the packets successfully. I need to post process the decrypted PCAP by export the PDUs to a new file using tshark, this is supported and I can get it working on the sample PCAP but not when it is running on a different port.

I think I'm missing an argument to tshark.

If I run the following command, tshark will dump decrypted packets for me.

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390


If I run

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390 "-U "OSI layer 7" -w decrypted.pcap


I think I should have those PDUs dumped to a new file. But I don't, the PCAP is empty. Now if I try basically the same command on the Wireshark sample data it works correctly. The file out.pcap is filled with my decrypted packets. Here is the command that works on the sample PCAP.

tshark.exe -r rdp-ssl.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.2.15,3389,tpkt,rdp-ssl.pcap.gz.cert.pem" -U "OSI layer 7" -w out.pcap


The command lines are near identical. I'm assuming i'm incorrectly setting the RDP port number. What's confusing is that without the OSI layer 7 export I can see if decrypted correctly on screen. I've used -o tpkt.tcp.port and -o rdp.tcp.port without success. Does anyone have any ideas?

Interestingly if I open the same pcap in Wireshark and use File->export PDUs it does work correctly. I really need to use tshark.

Exporting PDUs fails on a different port

I'm trying to dump decrypted PDUs from an RDP session running on a non standard port. I can decrypted the packets successfully. I need to post process the decrypted PCAP by export the PDUs to a new file using tshark, this is supported and I can get it working on the sample PCAP but not when it is running on a different port.

I think I'm missing an argument to tshark.

If I run the following command, tshark will dump decrypted packets for me.

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390


If I run

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390 "-U -U "OSI layer 7" -w decrypted.pcap


I think I should have those PDUs dumped to a new file. But I don't, the PCAP is empty. Now if I try basically the same command on the Wireshark sample data it works correctly. The file out.pcap is filled with my decrypted packets. Here is the command that works on the sample PCAP.

tshark.exe -r rdp-ssl.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.2.15,3389,tpkt,rdp-ssl.pcap.gz.cert.pem" -U "OSI layer 7" -w out.pcap


The command lines are near identical. I'm assuming i'm incorrectly setting the RDP port number. What's confusing is that without the OSI layer 7 export I can see if decrypted correctly on screen. I've used -o tpkt.tcp.port and -o rdp.tcp.port without success. Does anyone have any ideas?

Interestingly if I open the same pcap in Wireshark and use File->export PDUs it does work correctly. I really need to use tshark.

Exporting PDUs fails on a different port

I'm trying to dump decrypted PDUs from an RDP session running on a non standard port. I can decrypted the packets successfully. I need to post process the decrypted PCAP by export the PDUs to a new file using tshark, this is supported and I can get it working on the sample PCAP but not when it is running on a different port.

I think I'm missing an argument to tshark.

If I run the following command, tshark will dump decrypted packets for me.

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390


If I run

tshark.exe -r encrypted.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.1.1,3390,tptk,x509.pem" -o tpkt.tcp.port:3390 -U "OSI layer 7" -w decrypted.pcap


I think I should have those PDUs dumped to a new file. But I don't, the PCAP is empty. Now if I try basically the same command on the Wireshark sample data it works correctly. The file out.pcap is filled with my decrypted packets. Here is the command that works on the sample PCAP.

tshark.exe -r rdp-ssl.pcap -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:10.0.2.15,3389,tpkt,rdp-ssl.pcap.gz.cert.pem" -U "OSI layer 7" -w out.pcap


The command lines are near identical. I'm assuming i'm incorrectly setting the RDP port number. What's confusing is that without the OSI layer 7 export I can see if decrypted correctly on screen. I've used -o tpkt.tcp.port and -o rdp.tcp.port without success. Does anyone have any ideas?

Interestingly if I open the same pcap in Wireshark and use File->export PDUs it does work correctly. I really need to use tshark.

Update: Sample PCAP

I've uploaded a sample here: https://github.com/robeving/SampleRDPPcap. PCAP and key are safe for sharing.

I've tested and PDUs are exported with Wireshark correctly using the supplied key. I think the following command should work with tshark but doesn't.

tshark.exe -r .\sample.pcapng -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:92.82.236.10,3390,tptk,test.key" -o tpkt.tcp.port:3390 -U "OSI layer 7" -w out.pcapng


I can however see successful decryption with:

tshark.exe -r sample.pcapng -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:92.82.236.10,3390,tptk,test.key" -o tpkt.tcp.port:3390