This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Building tshark with ssl?

0

I'm trying to build tshark and dig into its ssl decoding, but it doesn't seem to want to include the ssl decoder and I'm not sure why; I looked around briefly to see if the dissectors get dynamically loaded somehow, but don't see that either:

# configure --disable-wireshark --with-ssl --without-gnutls
...
The Wireshark package has been configured with the following options.
                    Build wireshark : no
                       Build tshark : yes
                     Build capinfos : yes
                      Build editcap : yes
                      Build dumpcap : yes
                     Build mergecap : yes
                    Build text2pcap : yes
                      Build randpkt : yes
                       Build dftest : yes
                     Build rawshark : yes

Save files as pcap-ng by default : yes
Install dumpcap with capabilities : no
Install dumpcap setuid : no
Use dumpcap group : (none)
Use plugins : yes
Use Lua library : no
Use Python binding : no
Build rtp_player : no
Build profile binaries : no
Use pcap library : yes
Use zlib library : yes
Use kerberos library : yes (MIT)
Use c-ares library : no
Use GNU ADNS library : no
Use SMI MIB library : no
Use GNU crypto library : no
Use SSL crypto library : yes
Use IPv6 name resolution : yes
Use gnutls library : no
Use POSIX capabilities library : no
Use GeoIP library : no


make




strings .libs/tshark | grep ssl


#

asked 05 Nov ‘15, 12:20

abatie's gravatar image

abatie
1111
accept rate: 0%

2 Answers:

1

tshark is loading libwireshark library that contains all dissectors code, including SSL:

strings epan/.libs/libwireshark.so

answered 05 Nov '15, 13:01

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

0

Based on your configure output it seems that you are building an old version of Wireshark.

                 Build mergecap : yes
             [reordercap is missing here]
                Build text2pcap : yes

You are probably using versions older than 1.6.11, 1.8.9 or 1.10.0. You are suggested to use at least 1.12.x now (or 2.0 which is around the corner). Dissection of SSL/TLS is well supported in Wireshark, though some newer TLS details may require a more recent version of Wireshark.

If you are instead looking at SSL/TLS decryption rather than dissection, do note that versions before 2.0 require both GnuTLS and Libgcrypt to be enabled for decryption support. Since 2.0, Libgcrypt is sufficient for decryption using a SSL key logfile. GnuTLS is required for RSA keyfiles support though.

answered 05 Nov '15, 14:06

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

I did both 1.8.10 (to match the package that comes with centos) and 1.12.8. These are both good information as indeed, I am trying to improve the diagnostics when decryption fails. Thanks!

(05 Nov '15, 14:51) abatie

@abatie I recommend you to try 1.12 or newer, it already fixed various decryption issues.

(06 Nov '15, 05:21) Lekensteyn