Decoding protocols (Become an expert)

In this recipe we will see how to force Tshark to use the correct dissector when a certain protocol runs in an uncommon port. We also see how to decode SSL traffic through a real example.

How to do it...

In the following example, a user has established a SSH connection on port 1865 (instead of 22). If we dump one of these packets, we see that Tshark tries to interpret that protocol as LeCroy VICP instead of SSH:

bmerino@Mordor:/$ tshark -r ssh.pcap -R "frame.number==9" -V | grep "LeCroy VICP" -A 5
LeCroy VICP
    Operation: 0x35
    Protocol version: 54
    Sequence number: 44
    Unused: 0x61
    Data length: 1919116911

This occurs because Tshark has registered in its dissector table that protocol on port 1865. We can verify ...

Get Instant Traffic Analysis with Tshark How-to now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Instant Traffic Analysis with Tshark How-to by Borja Merino

Decoding protocols (Become an expert)

How to do it...

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly