extract certificate info with TSHARK

Question

Is there a way to extract certificate infomation that is viewable from wireshark in tshark? For example, fields like common name, organization, serial number.

Answer 1

sure, you can run tshark in verbose mode and then parse the output with a script:

tshark -nr ssl.pcapng -2 -R "ssl.handshake.certificate" -V > out.txt

Example output:

               Certificate (id-at-commonName=ssl4338.cloudflare.com,id-at-organizationName=CloudFlare, Inc.,id-at-localtyName=San Francisco,id-at-stateOrProvinceName=CA,id-at-countryName=US)
                       version: v3 (2)
                       serialNumber : 0x1121c2cb499715e11699032fa4a393e81d90
                       validity
                           notBefore: utcTime (0)
                               utcTime: 14-10-15 03:29:31 (UTC)
                           notAfter: utcTime (0)
                               utcTime: 15-10-11 15:31:39 (UTC)

As an alternative, you can print whatever field sounds interesting for you: https://www.wireshark.org/docs/dfref/s/ssl.html

tshark -nr ssl.pcapng -2 -R "ssl.handshake.certificate" -T fields -e xxxx -e yyyy

Please replace xxxx and yyyy with fields listed in the reference.

Regards
Kurt

Answer 2

For printing the certificate, I couldn't find any fields that list the url of the certificate (that work, anyway. ssl.handshake.cert_url.url_hash (URL and Hash) looked promising, but didn't give me anything on tshark 1.12.4. I finally wound up doing this: tshark -nr ssl.pcap -R "ssl.handshake.certificate" -V | grep "Certificate (id-at-commonName=" | sort | uniq > certs.txt

It would be nice if ssl.handshake.cert_url just gave you something like "amazon.com"