 | 1 | initial version |
Using tshark you can get a hexdump for every certificate in a pcap using this command:
tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile
A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output sort -u command.
Next step is to convert the hexdump into a useful format. For example by converting into PEM format by piping the output to this Perl script:
#!/bin/perl
use strict;
use MIME::Base64;
my $count = 0;
while (<>) {
open(FH, '>', sprintf("cert%03d.pem", ++$count)) or die $!;
print FH "-----BEGIN CERTIFICATE-----\n" . encode_base64(pack "H*", $_)
. "\n-----END CERTIFICATE-----\n";;
close(FH);
}
print "Converted $count certs\n";
(Note in Windows you can open these files when the extension is .crt.)
And finally to convert it to DER format loop over the files:
for i in *.pem; do openssl x509 -in $i -out ${i%.pem}.der -outform DER; done
| | 2 | No.2 Revision |
Using tshark you can get a hexdump for every certificate in a pcap using this command:
tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile
A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output through sort -u command.
Next step is to convert the hexdump into a useful format. For example by converting into PEM format by piping the output to this Perl script:
#!/bin/perl
use strict;
use MIME::Base64;
my $count = 0;
while (<>) {
open(FH, '>', sprintf("cert%03d.pem", ++$count)) or die $!;
print FH "-----BEGIN CERTIFICATE-----\n" . encode_base64(pack "H*", $_)
. "\n-----END CERTIFICATE-----\n";;
close(FH);
}
print "Converted $count certs\n";
(Note in Windows you can open these files when the extension is .crt.)
And finally to convert it to DER format loop over the files:
for i in *.pem; do openssl x509 -in $i -out ${i%.pem}.der -outform DER; done
| | 3 | No.3 Revision |
Using tshark you can get a hexdump for every certificate in a pcap using this command:
tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile
A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output through sort -u command.
Next step is to convert the hexdump into a useful format. For example by converting into PEM DER format by piping the output to this Perl script:
#!/bin/perl
use strict;
use MIME::Base64;
my $count = 0;
while (<>) {
open(FH, '>', sprintf("cert%03d.pem", sprintf("cert%03d.cer", ++$count)) or die $!;
print FH "-----BEGIN CERTIFICATE-----\n" . encode_base64(pack (pack "H*", $_)
. "\n-----END CERTIFICATE-----\n";;
$_);
close(FH);
}
print "Converted $count certs\n";
(Note in Windows you can open these files when the extension is .crt.)
And finally to convert it to DER format loop over the files:
for i in *.pem; do openssl x509 -in $i -out ${i%.pem}.der -outform DER; done
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.