First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to automate following TLS streams?

I have a huge pcap file and I want to follow each TLS stream in this file. Is there any way to do this by using a script?

alajeb's avatar
9
alajeb
asked 2020-04-08 13:48:57 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Not sure what your desired end result is. Do you want each TLS stream in a separate capture file?

grahamb's avatar grahamb (2020-04-08 14:13:57 +0000) edit
more
  • delete

yes exactly

alajeb's avatar alajeb (2020-04-08 14:20:48 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

This kind of thing generally needs multiple passes over the capture using tshark. First run a pass with a display filter to limit the output to the desired TLS traffic and add a T Fields -e tcp.stream argument to get a list of all tcp streams. Then use this list of streams to filter the original capture a single stream at a time and write the stream to a new file.

grahamb's avatar
23.8k
grahamb
answered 2020-04-08 14:36:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Similar question using a script to extract multiple streams.

Chuckc's avatar Chuckc (2020-04-08 15:29:08 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer