First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Secure websocket with Tshark over live capture

Hi,

So I've been able to decode a live capture WSS over HTTPS (of course) with Wireshark but it seems that TShark is not capable of doing so unless I am doing something wrong.

Here is how I am running it but the output is empty

C:\Program Files\Wireshark>tshark.exe -i 4 -o tls.keylog_file:C:\Users\iulian\Desktop\ssl.txt -o tls.desegment_ssl_records:TRUE -o tls.desegment_ssl_application_data:TRUE -d tcp.port==443,tls -Y websocket

Best,

-iulian

iulian's avatar
1
iulian
asked 2019-06-29 06:30:49 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-06-29 10:49:18 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Do you use a non-default profile in Wireshark, if so, you might need to add -C <profile-name> to your tshark command to have it behave the same as Wireshark.

Without specifying a profile I would add -o tcp.desegment_tcp_streams:TRUE to your command to make sure TCP allows reassembly by the TLS dissector.

Does either of these suggestions make WSS decryption work for you with tshark?

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-07-01 09:29:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer