TShark does a good job of picking out SSL/TLS connections, but sometimes misses things where non-standard ports have been used.
For example, looking at a PCAP where a tor client has been started, there's a guard using port 9035 as it's ORPort so we get no information from that at all.
If running tshark manually, we'd pass in
-d tcp.port==9035,ssl
To force use of the SSL dissector for that port, so it'd be good to have some means in the configuration to specify particular ports (as well as the defaults) that we want treated as SSL/TLS.
It'd allow a user to iterate over a PCAP, looking at the dest ip/ports list to identify unexpected port numbers and then re-run treating those as SSL.
Activity
2016-02-03 13:44:51
Where port numbers are space seperated.
The script will force the SSL dissector to be used for TCP connections to those ports (as well as the standard ports, like 443)
The default value hardcoded within the script is currently
Where the first two of the above are common variations I've seen for various services. 9001 is the old default ORPort for Tor (though I think the dissector actually catches this by default anyway).
Will commit once I've had chance to test it
2016-02-03 14:07:51
2016-02-03 14:08:01
2016-02-03 14:08:01
2016-02-03 14:08:07
2016-02-03 14:09:32
Webhook User-Agent
View Commit