Open IrPgFKS0 opened 3 years ago
Can you please add the mercury invocation that you used here? thx!
I should clarify the above output is from tshark
only (see command above for reference). Once I captured those packets with this cmd tshark -i utun0 -F pcap -w test_null.pcap
, I then attempted to read them with the following commands using "pmercury" and "mercury" respectively with no output (attempting both w/ and w/o piping to jq
).
python3.8 pmercury -r test_null.pcap -e -w -a -x | jq --tab
*Running in zsh shell hence redirect "> >(jq --tab .)
"
./mercury -r test_null.pcap --dns-json --certs-json --metadata > >(jq --tab .)
Note: I also made another capture with this command tshark -i en10 -F pcap -w test_no_null.pcap
and both "pmercury" and "mercury" output to jq
as expected; "pmercury" output all the TLS packets and "mercury" output all TLS/HTTP and DNS packets (my test mix for both test_null.pcap
and test_no_null.pcap
).
When capturing on a tunnel interface (at least on a MAC), the L2 header information is set to Null (more details below)...
https://wiki.wireshark.org/NullLoopback
See example below... "null": { "null.family": "2" }