Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Is it possible to access decrypted TLS data in tshark programmatically?

Is there any way to get the decrypted TLS payload programatically in tshark, for example with -T jsonraw or pdml? I can see the decrypted data with the -x option or by following a tls stream (neither of which is convenient for programming access) but with -T option I can only see the encrypted payload.

For comparison, with ESP protocol, once the data is decrypted, the decrypted data is easily accessible in tcp.payload and and display filters can be applied to the decrypted data. Is there any way to do that with TLS?

If that is not possible, an alternative for me would be saving only the raw decrypted data a file. I can do this in wireshark in the follow TLS stream window. Any way to do it in tshark?