'[Wireshark-users] tshark print raw data with -T fields (for partial ssl records)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    [Wireshark-users] tshark print raw data with -T fields (for partial ssl records)
From:       Lee Mighdoll <lee () underneath ! ca>
Date:       2013-04-29 23:08:54
Message-ID: CAPif6rVD0NNVs8jJOJ+cZ7qrWLF_Gzfbtj9P88Bm5WztHxRwgQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I'm printing a dozen fields or so from a trace with a limited snap length.
 Works great, but the thirteenth field is unfortunately not decoded from
partially captured packets.

Is there a way to print the raw data along with -T fields?  -x and -T
fields don't mix...  I suppose I could run tshark twice once with -x and
once with -T fields and correlate the output, but I'm hoping there's an
easier way.  I see some references on the web to an option for -e data, but
that doesn't print anything when I try it (on tshark 1.8.2).

Alternately, is there anyway to convince the ssl packet parser to emit the
fields that it has recognized from a partial record?  In particular, I'd
like to know that the header for ssl record type 23 (application data) has
been captured, even though tcpdump hasn't captured the entire contents of
the application data itself.

Cheers,
Lee

[Attachment #5 (text/html)]

<div dir="ltr">I&#39;m printing a dozen fields or so from a trace with a limited snap \
length.  Works great, but the thirteenth field is unfortunately not decoded from \
partially captured packets.  <div><br></div><div>Is there a way to print the raw data \
along with -T fields?  -x and -T fields don&#39;t mix...  I suppose I could run \
tshark twice once with -x and once with -T fields and correlate the output, but \
I&#39;m hoping there&#39;s an easier way.  I see some references on the web to an \
option for -e data, but that doesn&#39;t print anything when I try it (on tshark \
1.8.2).<div style> <br></div><div style>Alternately, is there anyway to convince the \
ssl packet parser to emit the fields that it has recognized from a partial record?  \
In particular, I&#39;d like to know that the header for ssl record type 23 \
(application data) has been captured, even though tcpdump hasn&#39;t captured the \
entire contents of the application data itself.</div> <div style><br></div><div \
style>Cheers,</div><div style>Lee</div></div></div>



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic