O'Reilly logo

Instant Traffic Analysis with Tshark How-to by Borja Merino

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Decoding protocols (Become an expert)

In this recipe we will see how to force Tshark to use the correct dissector when a certain protocol runs in an uncommon port. We also see how to decode SSL traffic through a real example.

How to do it...

  1. In the following example, a user has established a SSH connection on port 1865 (instead of 22). If we dump one of these packets, we see that Tshark tries to interpret that protocol as LeCroy VICP instead of SSH:
    bmerino@Mordor:/$ tshark -r ssh.pcap -R "frame.number==9" -V | grep "LeCroy VICP" -A 5
    LeCroy VICP
        Operation: 0x35
        Protocol version: 54
        Sequence number: 44
        Unused: 0x61
        Data length: 1919116911
    
  2. This occurs because Tshark has registered in its dissector table that protocol on port 1865. We can verify ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required