OSQA is unmaintained. Help us figure out where to go from here.

Hi, I need to decode an ssl stream from a pcap file and save the decoded stream to a new pcap file. I use http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz cap and key from http://wiki.wireshark.org/SSL for test. So with command:

tshark -n -d tcp.port==443,http -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,443,http,/snakeoil2_070531/rsasnakeoil2.key" -r /snakeoil2_070531/rsasnakeoil2.cap

tshark print on screen the testual version of decoded packets in right way. Now I need to save the real packets (not text) decoded (ssl->http) to a new file.

Using -w option tshark saves the same packet dunp that it reads (rsasnakeoil2.cap) to another file (test.pcap). The two files are equal.

tshark -n -d tcp.port==443,http -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,443,http,/snakeoil2_070531/rsasnakeoil2.key" -r /snakeoil2_070531/rsasnakeoil2.cap -w test.cap.

I can't understand why tshark can't save the decoded ssl traffic to another file. Help Me.

Detail of my wireshark version: wireshark 1.4.4

Copyright 1998-2011 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.22.1, with GLib 2.26.1, with libpcap 1.1.1, without libz, with POSIX capabilities (Linux), without libpcre, without SMI, without c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.10.4, with Gcrypt 1.4.6, with Heimdal Kerberos, without GeoIP, without PortAudio, without AirPcap.

Running on Linux 2.6.37-ARCH, with libpcap version 1.1.1, GnuTLS 2.10.5, Gcrypt 1.4.6.

Built using gcc 4.5.2 20110127 (prerelease).

asked 03 Apr '11, 14:28

mkl's gravatar image

accept rate: 0%

Wireshark and tshark can't save decrypted data back into a new pcap file.

The best thing you can do is add -V (full decodes) to your tshark command and redirect the output to a text file and supply that with the pcap file.

Please also have a look at feature request 3444, in which the same question was asked.

permanent link

answered 03 Apr '11, 14:36

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 03 Apr '11, 14:28

question was seen: 9,470 times

last updated: 03 Apr '11, 14:36

p​o​w​e​r​e​d by O​S​Q​A