Added ability to force SSL dissector for tcp ports. See PAS-27 master
Added ability to force SSL dissector for tcp ports. See PAS-27

--- a/Docs/OverridingConfiguration.md
+++ b/Docs/OverridingConfiguration.md
@@ -54,3 +54,12 @@
 
 
 
+SSL Ports 
+-----------
+
+[PAS-27](http://projects.bentasker.co.uk/jira_projects/browse/PAS-27.html) introduced the ability to force connections to specific ports to be assumed as SSL. The dissectors do a good job of identifying SSL traffic, but will miss some where non-standard ports have been used. If a port number is known, a value can be set for it within the script configuration
+
+    SSLPorts="1193 1473"
+
+Ports should be space seperated and will not prevent analysis of known standard ports (e.g. 443). Currently this is only applied for TCP connections
+

--- a/PCAP_Analysis.sh
+++ b/PCAP_Analysis.sh
@@ -376,6 +376,15 @@
 PASSIVE_ONLY=${PASSIVE_ONLY:-0}
 STANDARD_FIELDS="-e frame.time_epoch -e ip.src -e ip.dst -e ipv6.src -e ipv6.dst -e tcp.srcport -e tcp.dstport"
 
+# Build the forced SSL dissector argument (PAS-27)
+SSLPorts=${SSLPorts:-"9035 12194 9001"}
+SSLARGS=''
+for i in $SSLPorts 
+do
+      SSLARGS+="-d tcp.port==$i,ssl "
+done
+
+echo $SSLARGS
 mkdir -p "$TMPDIR"
 echo "Starting, using ${TMPDIR} for temp files"
 echo "Processing PCAP"
@@ -400,7 +409,7 @@
 
 printf "\tAnalysing SSL/TLS traffic\n"
 # Extract information from the SSL/TLS sessions we can see
-tshark -q -r "$PCAP" -Y "ssl.handshake" -T fields $STANDARD_FIELDS \
+tshark -q -r "$PCAP" $SSLARGS -Y "ssl.handshake" -T fields $STANDARD_FIELDS \
 -e ssl.handshake.extensions_server_name -e ssl.handshake.ciphersuite -e x509sat.printableString > "${TMPDIR}/sslrequests.txt"
 
 printf "\tExtracting Mail related traffic\n"