TShark - Get entire decrypted TLS output

Decrypt_SSL-TLS
retag add tags

Hi,

I'm using tshark with tls.keylog_file option to decrypt my websocket TLS stream. After I run it through tshark, I get a layer 'DATA-TEXT-LINES' which contains the decrypted data. However, this data seems truncated, as I see through the wireshark GUI which has the full decrypted data. I searched through the forums where someone suggested changing ITEM_LABEL_LENGTH in epan/proto.h . So I did that and rebuilt from source, however that also doesn't seem to help.

Any help would be appreciated. I'm using version 3.6.5

am17an

asked 2022-05-18 02:27:27 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Are you using the same profile with tshark as wireshark. See -C on the tshark man page.

Do you have a specific example: "It's x bytes/characters long in the gui but only z long with tshark."

Text lines that are truncated should be marked as being [truncated].

Line-based text data (6 lines)
    dolore eu feugiat nulla facilisis (snip)
    consectetuer adipiscing elit, sed diam (snip)
     [truncated]Ut wisi enim ad minim veniam, (snip)
     [truncated]Nam liber tempor cum soluta (snip)
    Duis autem vel eum iriure dolor in (snip)
    At vero eos et accusam et justo duo (snip)

Chuckc (2022-05-18 13:39:55 +0000) edit

add a comment see more comments

Be the first one to answer this question!

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

TShark - Get entire decrypted TLS output edit

Comments

Be the first one to answer this question!

TShark - Get entire decrypted TLS output