First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark SSH Packets Encrypted After Saving to File

I am trying to collect SSH packets on a file transfer server so that I can tell who would be affected by a reduced cipher list. I am using dumpcap to gather certain packets...

H:\>"D:\Program Files\Wireshark\dumpcap.exe" -i Ethernet0 -f "port 22 && dst host 10.151.30.55" -w D:\SFTPCapture\serverA.pcapng -b files:3 -b duration:300 -n

... Then I am using tshark to further filter and save the packets that I need that tell me what ciphers the client is able to use...

H:\>"D:\Program Files\Wireshark\tshark.exe" -r "D:\SFTPCapture\serverA_00019_20220823122517.pcapng" -Y "(ssh.message_code == 20) && (ssh.direction == 0)" -w "D:\SFTPCapture\test.pcapng"

... When I omit -w <outfile>, I can see in Command Prompt the packets as I would expect. In addition, I can open "D:\SFTPCapture\serverA_00019_20220823122517.pcapng" in Wireshark, filter the packets, and save the desired packets as expected. The issue is the when saving the output from tshark using -w <outfile>, all of the packets say that they are encrypted. What is stranger still is that if I omit "ssh.message_code == 20) && " from the filter, the packets are no longer encrypted, but I end up with more packets than I need.

How do I save the filtered packets to a pcapng file so that ssh message 20 is still human readable and I can tell what ciphers the clients are using?

haverland389's avatar
3
haverland389
asked 2022-08-23 19:11:28 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

You'll need to store the packets with the SSH protocol exchange as well for the dissector to be able to make sense of this.

What you could do is filter out the first part of the TCP stream, say with tcp.seq < 1500

Jaap's avatar
13.7k
Jaap
answered 2022-08-23 20:35:00 +0000
edit flag offensive 0 remove flag delete link
more

Comments

(ssh.protocol or (ssh.message_code == 20)) && (ssh.direction == 0)

Chuckc's avatar Chuckc (2022-08-24 03:54:27 +0000) edit
more
  • delete

@Chuckc That should do it as well, thanks for looking that up.

Jaap's avatar Jaap (2022-08-24 08:09:34 +0000) edit
more
  • delete

Thank you. Both filters retained the data I need to collect. Unfortunately, they keep a lot more packets than I need and I need to collect packets for at least a week due to the frequency of how often some accounts log into the file transfer server. Is this about the only way to save out a pcapng and retain the data?

At this time, I am outputting the data in JSON format and then doing some additional manipulation to create and load objects in PowerShell. This is also retaining the data that I need, but seems more "hacky".

Current tshark command...

"D:\Program Files\Wireshark\tshark.exe" -r "D:\SFTPCapture\serverA_00038_20220823140023.pcapng" -Y "(ssh.message_code == 20) && (ssh.direction == 0)" -T json >> "D:\SFTPCapture\collection.json"
haverland389's avatar haverland389 (2022-08-24 13:40:02 +0000) edit
more
  • delete

Yes, this is the only way to save a pcapng file and allow for human readable dissection when loaded again. If you are worried about file size, you should be able to spool these through gzip to get highly compressed versions of it, which can be directly read into Wireshark if needed.

Jaap's avatar Jaap (2022-08-24 14:43:02 +0000) edit
more
  • delete

How much smaller could you make it if you only collect the fields needed in your later processing step?
-T json will accept the -e option to specify fields. (tshark man page

-e <field>
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected. This option can be used multiple times on the command line.
Chuckc's avatar Chuckc (2022-08-25 00:12:22 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer