Skip to Main Content
Instant Traffic Analysis with Tshark How-to
book

Instant Traffic Analysis with Tshark How-to

by Borja Merino
April 2013
Intermediate to advanced content levelIntermediate to advanced
68 pages
1h 32m
English
Packt Publishing
Content preview from Instant Traffic Analysis with Tshark How-to

Decoding protocols (Become an expert)

In this recipe we will see how to force Tshark to use the correct dissector when a certain protocol runs in an uncommon port. We also see how to decode SSL traffic through a real example.

How to do it...

  1. In the following example, a user has established a SSH connection on port 1865 (instead of 22). If we dump one of these packets, we see that Tshark tries to interpret that protocol as LeCroy VICP instead of SSH:
    bmerino@Mordor:/$ tshark -r ssh.pcap -R "frame.number==9" -V | grep "LeCroy VICP" -A 5
    LeCroy VICP
        Operation: 0x35
        Protocol version: 54
        Sequence number: 44
        Unused: 0x61
        Data length: 1919116911
    
  2. This occurs because Tshark has registered in its dissector table that protocol on port 1865. We can verify ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Next Generation Red Teaming

Next Generation Red Teaming

Henry Dalziel
Wireshark & Ethereal Network Protocol Analyzer Toolkit

Wireshark & Ethereal Network Protocol Analyzer Toolkit

Jay Beale, Angela Orebaugh, Gilbert Ramirez

Publisher Resources

ISBN: 9781782165385Other