Wireshark-bugs: [Wireshark-bugs] [Bug 3444] Need the ability to export SSL decrypted captures
Peter Wu
changed
bug 3444
What |
Removed |
Added |
CC |
|
peter@lekensteyn.nl
|
Comment # 28
on bug 3444
from Peter Wu
(In reply to Alexis La Goutte from comment #27)
> Add CLI (and qtshark) version ? ;-)
So I looked briefly into this and there are some points for consideration:
do_export_pdu calls simple_dialog which is only defined for GTK and Qt. Since
there are only two callers, what about changing this to pass the error code to
the caller via an "out" parameter?
AFAICS, we now have this filter flow:
read file
apply read filter
apply display filter (and output columns, or details with -V)
write filtered result to file
Since live captures write to file directly (via dumpcap), we have the
limitation that PDU exports cannot be done just like a display filter cannot be
applied.
The naive approach would be adding an option "-z
pdu-export,output_file,tap_name[,filter]" which matches the other tap
listeners, but has two problems:
- The option does not just do "statistics", it writes a file unlike other
listeners.
- It always creates two files if you use: tshark -r input.pcap -w output.pcap
-z pdu-export,exported.pcap,ssl -Y ssl (one for the display-filtered packets,
another where higher-level frames are stripped.)
I prefer a new option to apply the PDU export filter ("-U tap_name[,filter]")
and use -w to specify the output file:
tshark -r input.pcap -w output.pcap -U ssl -w exported.pcap
Possible implementations:
- Set the dissector output to /dev/null and let the export filter own the
output file instead.
- Modify the dissection routine to apply the export earlier. Possible
advantage: -V now displays the exported PDU. Disadvantage: sounds complex.
I'll try to make implement the -U option with the first implementation option.
Opinions are welcome?
You are receiving this mail because:
- You are the assignee for the bug.
- You are watching all bug changes.