Hi, I have been working with Wireshark for years particularly as I use the Riverbed trace analysis programs daily. I found ways on the Internet to extract certificates from an SSL session trace. All the info I found seems to speak about fields I don't find in my version of WS (I tried 2.4.0 and 2.6.3. Expanding the SSL details on my trace shows:
Frame 3871: 1402 bytes on wire (11216 bits), 256 bytes captured (2048 bits)
Ethernet II, Src: Cisco_f3:00:11 (d4:2c:44:f3:00:11), Dst: HewlettP_6f:21:d0 (f4:39:09:6f:21:d0)
Internet Protocol Version 4, Src: xxx.xxx.xxx.xxx, Dst: xxx.xxx.xxx.xxx
Transmission Control Protocol, Src Port: 8080, Dst Port: 57248, Seq: 40, Ack: 752, Len: 1348
Hypertext Transfer Protocol
Secure Sockets Layer
TLSv1.3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 122
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 118
Version: TLS 1.2 (0x0303)
Random: 679cb032893ff093df50b2aad0ef633b8e1923abb79837f8...
Session ID Length: 32
Session ID: f8046d1805478fa3cc6658da57be9a03ba6807a79094af06...
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Compression Method: null (0)
Extensions Length: 46
Extension: key_share (len=36)
Extension: supported_versions (len=2)
TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
I understand I should find the certificate line and click right to export, but there is no certificate line. What am I doing wrong or not seeing?
Thanks
Marc
