566472 – net-analyzer/wireshark-1.12.8-r1 - tshark saves tcp/ssl raw streams in ascii file, content unrecoverable

Bug 566472 - net-analyzer/wireshark-1.12.8-r1 - tshark saves tcp/ssl raw streams in ascii file, content unrecoverable

Summary: net-analyzer/wireshark-1.12.8-r1 - tshark saves tcp/ssl raw streams in ascii ...

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Netmon project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-22 14:41 UTC by miro.rovis
Modified:	2015-11-22 19:29 UTC (History)
CC List:	0 users

See Also:	https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11750
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description miro.rovis 2015-11-22 14:41:24 UTC

I think this is a bug, and I tried to post it on Wiresharks' bugzilla, but I couldn't do it, not with Dillo, not with Firefox.

tshark (net-analyzer/wireshark-1.12.8-r1) saves tcp/ssl raw streams in ascii
file, content unrecoverable

Since Wireshark 2.0.0 is not available in Gentoo yet, and since:

https://bugs.gentoo.org/show_bug.cgi?id=565152

I'm still using wireshark-1.12.8-r1

I explained this in (too much) detail in the thread starting from:

Wireshark-users] follow [tcp|ssl].stream with tshark 
https://www.wireshark.org/lists/wireshark-users/201511/msg00033.html 

and also on:
How to extract content from tshark-saved streams?
https://forums.gentoo.org/viewtopic-t-1033844.html

Mayve shorter now:

Download dump_150927_1848_g0n.pcap from
http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/

It all boils down to this command:

tshark -r dump_150927_1848_g0n.pcap -T fields -e data -qz follow,tcp,raw,9 \
 | egrep '[[:print:]]' > dump_150927_1848_g0n_s00009.bin

producing an ascii file from which, in the least, it takes a wizard to extract content from, in comparison with perfectly recoverable content from the file that I saved with the Wireshark, and called it:

dump_150927_1848_g0n_s00009-W.bin

You can find both files, as I obtained them in my Wireshark on my Gentoo, as well as the extracted content from, surely only, the Wireshark-saved stream at:

http://www.CroatiaFidelis.hr/foss/cap/cap-150927-TLS-why-js/Add-151121/
(the extractable content being what I extracted and posted there as:
dump_150927_1848_g0n_s00009-W.js)

Reproducible: Always




Pls use attachment from othe bug report:

https://565152.bugs.gentoo.org/attachment.cgi?id=416302

for:

emerge --info

as it hasn't really changed.

Comment 1 miro.rovis 2015-11-22 16:09:04 UTC

I managed to file a bug on this in Wireshark:

tshark saves raw stream in ascii file, content unrecoverable
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11750

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2015-11-22 19:28:39 UTC

(In reply to miro.rovis from comment #0)
> I think this is a bug, and I tried to post it on Wiresharks' bugzilla, but I
> couldn't do it, not with Dillo, not with Firefox.

I don't see how Gentoo is responsible for wireshark's behaviour. If there is such a link, we should see upstream refer it back to us.

> Since Wireshark 2.0.0 is not available in Gentoo yet

commit 76079176be6a22502c25090057341fa96c93feb8
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Sat Nov 21 05:52:48 2015 +0100

    net-analyzer/wireshark: Version bump (bug #566180 by Pavel Půlpán).

    Package-Manager: portage-2.2.25

>, and since:

> https://bugs.gentoo.org/show_bug.cgi?id=565152

That was also referred upstream.