Ask Your Question

haw can i export the certificate into form der from pcap file with command line tshark and not manually ??

asked 2021-10-22 11:52:31 +0000

djo gravatar image

I have pcap file and I need to export the certificate with tshark command line

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2021-10-22 17:13:47 +0000

André gravatar image

updated 2021-10-22 18:50:24 +0000

Using tshark you can get a hexdump for every certificate in a pcap using this command:

tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile

A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output through sort -u command.

Next step is to convert the hexdump into a useful format. For example by converting into DER format by piping the output to this Perl script:

use strict;
my $count = 0;
while (<>) {
    open(FH, '>', sprintf("cert%03d.cer", ++$count)) or die $!;
    print FH (pack "H*", $_);
print "Converted $count certs\n";
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-10-22 11:52:31 +0000

Seen: 748 times

Last updated: Oct 22 '21