haw can i export the certificate into form der from pcap file with command line tshark and not manually ??

answered 2021-10-22 17:13:47 +0000

176 ●63 ●3

updated 2021-10-22 18:50:24 +0000

Using tshark you can get a hexdump for every certificate in a pcap using this command:

tshark -n -Tfields -e tls.handshake.certificate -Y tls.handshake.certificate -r $pcapfile

A TLS certificate message may contain multiple certificates. To split them up, one per line, pipe the output of tshark through the command tr , '\n'.
And to deduplicate the certificates found pipe the output through sort -u command.

Next step is to convert the hexdump into a useful format. For example by converting into DER format by piping the output to this Perl script:

#!/bin/perl
use strict;
my $count = 0;
while (<>) {
    open(FH, '>', sprintf("cert%03d.cer", ++$count)) or die $!;
    print FH (pack "H*", $_);
    close(FH);
}
print "Converted $count certs\n";

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

haw can i export the certificate into form der from pcap file with command line tshark and not manually ??

1 Answer

Your Answer

Question Tools

Stats

Related questions

haw can i export the certificate into form der from pcap file with command line tshark and not manually ?? edit

1 Answer