Is there a way to extract certificate infomation that is viewable from wireshark in tshark? For example, fields like common name, organization, serial number.
asked 30 Mar '15, 12:27
sure, you can run tshark in verbose mode and then parse the output with a script:
As an alternative, you can print whatever field sounds interesting for you: https://www.wireshark.org/docs/dfref/s/ssl.html
Please replace xxxx and yyyy with fields listed in the reference.
answered 30 Mar '15, 13:01
Kurt Knochner ♦
For printing the certificate, I couldn't find any fields that list the url of the certificate (that work, anyway. ssl.handshake.cert_url.url_hash (URL and Hash) looked promising, but didn't give me anything on tshark 1.12.4. I finally wound up doing this: tshark -nr ssl.pcap -R "ssl.handshake.certificate" -V | grep "Certificate (id-at-commonName=" | sort | uniq > certs.txt
It would be nice if ssl.handshake.cert_url just gave you something like "amazon.com"
answered 08 Apr '15, 11:45