Ask Your Question

Not able to see client certificate in capture

asked 2021-06-24 13:53:04 +0000

Hi All,

I have capture the logs and when i open i am not able to see client certificate in info but when i sent to another peer they are able to see. We both using same wireshark version.

Can you please suggest how we can enable that info.

edit retag flag offensive close merge delete



Difficult to say without access to the capture file, can you share it?
The difference may be down to profiles in use on each instance, are both Wireshark instances using the same profile?

grahamb gravatar imagegrahamb ( 2021-06-24 14:01:52 +0000 )edit

can you please share the details where i can send the logs. Are you using Teams/Skype

Sachin Nema gravatar imageSachin Nema ( 2021-06-24 14:14:56 +0000 )edit

Copy the capture to a public share, e.g. Google Drive, DropBox etc. and post a link to it back here.

grahamb gravatar imagegrahamb ( 2021-06-24 14:21:03 +0000 )edit

As @grahamb stated, it's difficult to say without more information, but if I were to guess, I'd say it's likely that there are one or more differences in the applied preferences and if I were a betting man, I'd place my bet on TCP reassembly. Try comparing preferences and even performing a diff of the preferences files in use between the two systems.

cmaynard gravatar imagecmaynard ( 2021-06-24 14:28:57 +0000 )edit

I have uploaded the capture file there

Sachin Nema gravatar imageSachin Nema ( 2021-06-24 14:30:12 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-06-25 12:28:32 +0000

SYN-bit gravatar image

The ClientCertificate is spread over frames 10, 11 and 12. In order for Wireshark to display the certificate, it needs to reassemble those frames and then it will show the Certificate in frame 12. If you use the default Wireshark profile, this should work. If you use a custom profile, please make sure that:

  • Checksum checking is disabled in the IP and TCP protocol preferences
  • Reassembly is enabled in the TCP and the TLS protocol preferences

Tshark should give the following output for your current profile if all is set correctly:

$ tshark  -G currentprefs | egrep '^#?(ip|tcp|tls)\..*(checksum|desegment).*'
#ip.check_checksum: FALSE
#tcp.check_checksum: FALSE
#tcp.desegment_tcp_streams: TRUE
#tls.desegment_ssl_records: TRUE
#tls.desegment_ssl_application_data: TRUE
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-06-24 13:53:04 +0000

Seen: 1,050 times

Last updated: Jun 25 '21