Ask Your Question

Tshark select end certificate only

asked 2018-10-10 10:52:28 +0000

Hey all,

I'm doing some research on certificate validity and therefore I'd like to export the Notbefore and Notafter (x509af.utcTime) and some other data using Tshark. Unfortunately this value exists multiple times in the certificate packet (End entity certificate - > Intermediate certificate -> Root certificate (chain of trust)).

I'm desperately looking for a filter variable where I can output this single certificate, without the intermediate and root one.

Thanks in advance!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-10-12 16:48:06 +0000

cmaynard gravatar image

updated 2018-10-15 13:54:55 +0000

If you're using tshark's -T fields along with -e x509af.utcTime, then you may be able to achieve what you want by making use of the -E occurrence=f option, which will only give you the first occurrence of the field and not all occurrences. Here I'm assuming the first occurrence is the one you're after. Example:

tshark -r file.pcap -Y x509af.utcTime -T fields -e frame.number -e x509af.utcTime -E occurrence=f

From the tshark man page:

occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).

Alternatively, you can specify the occurrence of individual fields by using the gui.column.format option. For example:


tshark -r file.pcap -Y x509af.utcTime -o "gui.column.format:\"No.\",\"%m\",\"x509af.utcTime\",\"%Cus:x509af.utcTime:1\""


tshark -r file.pcap -Y x509af.utcTime -o 'gui.column.format:"No.","%m","x509af.utcTime","%Cus:x509af.utcTime:1"'

Run tshark -G column-formats for help with built-in column formats, such as %m.

edit flag offensive delete link more


Thanks for your extended reply! This already helped me a lot. Unfortunately the occurrence option returns the first occurrence in every frame, for instance in my sample pcap this is the output:

12      18-08-18 00:00:00 (UTC)
90      18-09-25 07:43:00 (UTC)
168     18-07-30 00:00:00 (UTC)
203     18-08-14 00:00:00 (UTC)
248     18-09-25 07:43:00 (UTC)
256     18-09-25 07:43:00 (UTC)
268     18-09-25 07:43:00 (UTC)
399     18-09-26 14:39:15 (UTC)
491     18-09-26 14:39:15 (UTC)

With some custom scripting i could get the first value out of this array, but preferably I would like to have a command that does this instantly (so output = 18-08-18 00:00:00 (UTC))

wessel145 gravatar imagewessel145 ( 2018-10-15 10:05:36 +0000 )edit

I can't think of a way to accomplish that without piping the output to something else, with the simplest solution probably being to pipe it to head -n 1.

cmaynard gravatar imagecmaynard ( 2018-10-15 13:56:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-10-10 10:52:28 +0000

Seen: 32 times

Last updated: 15 hours ago