Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2023-11-28 16:04:55 +0000

sbone gravatar image

tshark (on windows) outputing SSIDs as encoded numbers (not ASCII)

I have some automated processes that use tshark to extract SSIDs from pcaps.

On linux (and previous versions on Windows) the SSIDs are extracted OK as ASCII strings.

On Windows however, they appear to be encoded with each character encoded as a 2-digit hex value.

Is there a way I can configure the tshark command to output ASCII directly?

Example:

c:\Program Files\Wireshark>tshark.exe -r "c:\temp\scan_1695301875123.pcap" -T fields -e wlan.ssid
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
646f6e745f6576656e5f7468696e6b5f6974

The expected output, as seen on Linux:

[bob@localhost ~]$ tshark -r scan_1695301875123.pcap -T fields -e wlan.ssid
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
dont_even_think_it

i.e. :

4c696e6b7379733031363734 = "Linksys01674" in ASCII

tshark (on windows) outputing SSIDs as encoded numbers (not ASCII)

I have some automated processes that use tshark to extract SSIDs from pcaps.

On linux (and previous versions on Windows) the SSIDs are extracted OK as ASCII strings.

On Windows however, they appear to be encoded with each character encoded as a 2-digit hex value.

Is there a way I can configure the tshark command to output ASCII directly?

Example:

c:\Program Files\Wireshark>tshark.exe -r "c:\temp\scan_1695301875123.pcap" -T fields -e wlan.ssid
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
646f6e745f6576656e5f7468696e6b5f6974

The expected output, as seen on Linux:

[bob@localhost ~]$ tshark -r scan_1695301875123.pcap -T fields -e wlan.ssid
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
dont_even_think_it

i.e. :

4c696e6b7379733031363734 = "Linksys01674" in ASCII

c:\Program Files\Wireshark>tshark.exe -version
TShark (Wireshark) 4.2.0 (v4.2.0-0-g54eedfc63953).

Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with libpcap, with zlib 1.3.0, with PCRE2, with Lua 5.2.4
(with UfW patches), with GnuTLS 3.7.9 and PKCS #11 support, with Gcrypt
1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0, with
nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.11.5, with libsmi 0.5.0, with binary plugins.

Running on 64-bit Windows 11 (22H2), build 22621, with 13th Gen Intel(R)
Core(TM) i7-1360P (with SSE4.2), with 16068 MB of physical memory, with GLib
2.78.0, with Npcap version 1.78, based on libpcap version 1.10.4, with PCRE2
10.42 2022-12-11, with c-ares 1.19.0, with GnuTLS 3.7.9, with Gcrypt
1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.5.2, with LC_TYPE=English_United States.utf8, binary
plugins supported.

c:\Program Files\Wireshark>
c:\Program Files\Wireshark>tshark.exe -version
TShark (Wireshark) 4.2.0 (v4.2.0-0-g54eedfc63953).

Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with libpcap, with zlib 1.3.0, with PCRE2, with Lua 5.2.4
(with UfW patches), with GnuTLS 3.7.9 and PKCS #11 support, with Gcrypt
1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0, with
nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.11.5, with libsmi 0.5.0, with binary plugins.

Running on 64-bit Windows 11 (22H2), build 22621, with 13th Gen Intel(R)
Core(TM) i7-1360P (with SSE4.2), with 16068 MB of physical memory, with GLib
2.78.0, with Npcap version 1.78, based on libpcap version 1.10.4, with PCRE2
10.42 2022-12-11, with c-ares 1.19.0, with GnuTLS 3.7.9, with Gcrypt
1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.5.2, with LC_TYPE=English_United States.utf8, binary
plugins supported.

tshark (on windows) outputing SSIDs as encoded numbers (not ASCII)

I have some automated processes that use tshark to extract SSIDs from pcaps.

On linux (and previous versions on Windows) the SSIDs are extracted OK as ASCII strings.

On Windows however, they appear to be encoded with each character encoded as a 2-digit hex value.

Is there a way I can configure the tshark command to output ASCII directly?

Example:

c:\Program Files\Wireshark>tshark.exe -r "c:\temp\scan_1695301875123.pcap" -T fields -e wlan.ssid
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
4c696e6b7379733031363734
646f6e745f6576656e5f7468696e6b5f6974

The expected output, as seen on Linux:

[bob@localhost ~]$ tshark -r scan_1695301875123.pcap -T fields -e wlan.ssid
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
Linksys01674
dont_even_think_it

i.e. :

4c696e6b7379733031363734 = "Linksys01674" in ASCII

c:\Program Files\Wireshark>tshark.exe -version
TShark (Wireshark) 4.2.0 (v4.2.0-0-g54eedfc63953).

Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with libpcap, with zlib 1.3.0, with PCRE2, with Lua 5.2.4
(with UfW patches), with GnuTLS 3.7.9 and PKCS #11 support, with Gcrypt
1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0, with
nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.11.5, with libsmi 0.5.0, with binary plugins.

Running on 64-bit Windows 11 (22H2), build 22621, with 13th Gen Intel(R)
Core(TM) i7-1360P (with SSE4.2), with 16068 MB of physical memory, with GLib
2.78.0, with Npcap version 1.78, based on libpcap version 1.10.4, with PCRE2
10.42 2022-12-11, with c-ares 1.19.0, with GnuTLS 3.7.9, with Gcrypt
1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.5.2, with LC_TYPE=English_United States.utf8, binary
plugins supported.

c:\Program Files\Wireshark>
c:\Program Files\Wireshark>tshark.exe -version
TShark (Wireshark) 4.2.0 (v4.2.0-0-g54eedfc63953).

Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with libpcap, with zlib 1.3.0, with PCRE2, with Lua 5.2.4
(with UfW patches), with GnuTLS 3.7.9 and PKCS #11 support, with Gcrypt
1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0, with
nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.11.5, with libsmi 0.5.0, with binary plugins.

Running on 64-bit Windows 11 (22H2), build 22621, with 13th Gen Intel(R)
Core(TM) i7-1360P (with SSE4.2), with 16068 MB of physical memory, with GLib
2.78.0, with Npcap version 1.78, based on libpcap version 1.10.4, with PCRE2
10.42 2022-12-11, with c-ares 1.19.0, with GnuTLS 3.7.9, with Gcrypt
1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.5.2, with LC_TYPE=English_United States.utf8, binary
plugins supported.

For linux...

tshark -v    
TShark (Wireshark) 3.4.10 (Git commit 733b3a137c2b)


Copyright 1998-2021 Gerald Combs <[email protected]> and contributors.    
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>    
This is free software; see the source for copying conditions. There is NO    
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,    
with GLib 2.68.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.19.1, without    
Lua, with GnuTLS 3.7.6 and PKCS #11 support, with Gcrypt 1.10.0-unknown, with    
MIT Kerberos, without MaxMind DB resolver, with nghttp2 1.43.0, without brotli,    
without LZ4, with Zstandard, without Snappy, without libxml2.


Running on Linux 5.14.0-362.8.1.el9_3.x86_64, with 11th Gen Intel(R) Core(TM)    

i5-1135G7 @ 2.40GHz (with SSE4.2), with 7673 MB of physical memory, with locale    
en_US.UTF-8, with libpcap version 1.10.0 (with TPACKET_V3), with GnuTLS 3.7.6,    
with Gcrypt 1.10.0-unknown, with zlib 1.2.11, binary plugins supported (0    
loaded).


Built using gcc 11.4.1 20230605 (Red Hat 11.4.1-2).