Ask Your Question

Revision history [back]

tshark SSH Packets Encrypted After Saving to File

I am trying to collect SSH packets on a file transfer server so that I can tell who would be affected by a reduced cipher list. I am using dumpcap to gather certain packets...

H:\>"D:\Program Files\Wireshark\dumpcap.exe" -i Ethernet0 -f "port 22 && dst host" -w D:\SFTPCapture\serverA.pcapng -b files:3 -b duration:300 -n

... Then I am using tshark to further filter and save the packets that I need that tell me what ciphers the client is able to use...

H:\>"D:\Program Files\Wireshark\tshark.exe" -r "D:\SFTPCapture\serverA_00019_20220823122517.pcapng" -Y "(ssh.message_code == 20) && (ssh.direction == 0)" -w "D:\SFTPCapture\test.pcapng"

... When I omit -w <outfile>, I can see in Command Prompt the packets as I would expect. In addition, I can open "D:\SFTPCapture\serverA_00019_20220823122517.pcapng" in Wireshark, filter the packets, and save the desired packets as expected. The issue is the when saving the output from tshark using -w <outfile>, all of the packets say that they are encrypted. What is stranger still is that if I omit "ssh.message_code == 20) && " from the filter, the packets are no longer encrypted, but I end up with more packets than I need.

How do I save the filtered packets to a pcapng file so that ssh message 20 is still human readable and I can tell what ciphers the clients are using?