This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark - How to extrakt certificate from radius eap packet

1

I am looking for a way using programming in Python to extract from a Radius sniffertrace the EAP packetflow, which includes e.g the Server Hello and therfore Server certificate. So far I am using tschark to extract the Radius packet containing EAP Server hello with the fragments already reassembled. I can store this packet in PDML format. There I can see all the Bytes of the certificate. Lets say, I woulde be able to build the String/List of Bytes from the certificate. Question: How could I build now from all those Bytes e.g a DER or PEM formated certificate file?

In wireshark GUI the certificate can be saved as Extraktes Bytes in DER format manually, but I need the certificate automattically extracted using some Python programming. http://www.wireshark.org/lists/wireshark-users/201003/msg00080.html

Thx for your valid input!

asked 14 Mar '14, 18:32

RogNob's gravatar image

RogNob
16112
accept rate: 0%


2 Answers:

0

I can store this packet in PDML format. There I can see all the Bytes of the certificate.
but I need the certificate automattically extracted using some Python programming

Hm.. that sounds more like a Python programming specific problem, right? You did everything right (with tshark) to get the 'extract' payload of the frames. Reading the tshark output and creating a certificate from that data with Python is a programming exercise and I'm sure will get (much better) answers in a Python programming forum or at http://stackoverflow.com

Regards
Kurt

answered 15 Mar '14, 13:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt, indeed I ask the question there as well. However since Wireshark can save the certificate directly as per link above, I hopped this maybe also possible using tschark. Maybe you know if I have all the bytes from PDLM. How to progress to get the Certificate as DER or PEM Format? I did Save the Bytes as certificate.der or certificate.pem but can not open the certificate. Best regeres Roger

(16 Mar '14, 11:47) RogNob

I hopped this maybe also possible using tshark.

no, that's not possible, as it is not implemented. So, all you can do is to parse the payload bytes and try to create a cert based on that data. As I mentioned, that's a programming exercise.

Maybe you know if I have all the bytes from PDLM.

I can't tell you, as you did not post the PDML output, but in general PDML will print the full payload, afiak.

How to progress to get the Certificate as DER or PEM Format?

Here are the necessary steps.

  1. understand the PEM or DER cert format (see google for that), as that's your output format
  2. understand the format in which the cert is transmitted. Here, wireshark and some basic protocol knowledge would help.
  3. read the output of tshark, extract the relevant bytes and write them in PEM or DER format.

At least that's how I would do it.

I did Save the Bytes as certificate.der or certificate.pem but can not open the certificate.

did you check the content of the exported file? Does it look like a PEM formatted cert in an editor?

(16 Mar '14, 12:59) Kurt Knochner ♦

0

Just to update. I am using now tshark to create PDML and extract with python code using ElementTree the certificate bytes which I convert to ASCII allow to save the certificate as DER file. •extract the certificate bytes in a string : cert_string_bin •change the bytes into ASCII

cert_string_der = cert_string_bin.decode("hex") •write the certificate file in DER format

cert = open("server_cert_of_stream_" + str(stream_counter )+".der", 'w')

cert.write(cert_string_der)

cert.close()

answered 03 Apr '14, 04:56

RogNob's gravatar image

RogNob
16112
accept rate: 0%