Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-10-22 17:13:47 +0000

André gravatar image

Using tshark you can get a hexdump for every certificate in a pcap using this command:

tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile

A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output sort -u command.

Next step is to convert the hexdump into a useful format. For example by converting into PEM format by piping the output to this Perl script:

#!/bin/perl
use strict;
use MIME::Base64;
my $count = 0;
while (<>) {
    open(FH, '>', sprintf("cert%03d.pem", ++$count)) or die $!;
    print FH  "-----BEGIN CERTIFICATE-----\n" . encode_base64(pack "H*", $_)
        . "\n-----END CERTIFICATE-----\n";;
    close(FH);
}
print "Converted $count certs\n";

(Note in Windows you can open these files when the extension is .crt.)

And finally to convert it to DER format loop over the files:

 for i in *.pem; do openssl x509 -in $i -out ${i%.pem}.der -outform DER; done

Using tshark you can get a hexdump for every certificate in a pcap using this command:

tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile

A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output through sort -u command.

Next step is to convert the hexdump into a useful format. For example by converting into PEM format by piping the output to this Perl script:

#!/bin/perl
use strict;
use MIME::Base64;
my $count = 0;
while (<>) {
    open(FH, '>', sprintf("cert%03d.pem", ++$count)) or die $!;
    print FH  "-----BEGIN CERTIFICATE-----\n" . encode_base64(pack "H*", $_)
        . "\n-----END CERTIFICATE-----\n";;
    close(FH);
}
print "Converted $count certs\n";

(Note in Windows you can open these files when the extension is .crt.)

And finally to convert it to DER format loop over the files:

 for i in *.pem; do openssl x509 -in $i -out ${i%.pem}.der -outform DER; done

Using tshark you can get a hexdump for every certificate in a pcap using this command:

tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile

A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output through sort -u command.

Next step is to convert the hexdump into a useful format. For example by converting into PEM DER format by piping the output to this Perl script:

#!/bin/perl
use strict;
use MIME::Base64;
my $count = 0;
while (<>) {
    open(FH, '>', sprintf("cert%03d.pem", sprintf("cert%03d.cer", ++$count)) or die $!;
    print FH  "-----BEGIN CERTIFICATE-----\n" . encode_base64(pack (pack "H*", $_)
        . "\n-----END CERTIFICATE-----\n";;
$_);
    close(FH);
}
print "Converted $count certs\n";

(Note in Windows you can open these files when the extension is .crt.)

And finally to convert it to DER format loop over the files:

 for i in *.pem; do openssl x509 -in $i -out ${i%.pem}.der -outform DER; done