Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to extract certificate from SSL session setup trace

Hi, I have been working with Wireshark for years particularly as I use the Riverbed trace analysis programs daily. I found ways on the Internet to extract certificates from an SSL session trace. All the info I found seems to speak about fields I don't find in my version of WS (I tried 2.4.0 and 2.6.3. Expanding the SSL details on my trace shows:

Frame 3871: 1402 bytes on wire (11216 bits), 256 bytes captured (2048 bits)
Ethernet II, Src: Cisco_f3:00:11 (d4:2c:44:f3:00:11), Dst: HewlettP_6f:21:d0 (f4:39:09:6f:21:d0)
Internet Protocol Version 4, Src:, Dst:
Transmission Control Protocol, Src Port: 8080, Dst Port: 57248, Seq: 40, Ack: 752, Len: 1348
Hypertext Transfer Protocol 
Secure Sockets Layer
 TLSv1.3 Record Layer: Handshake Protocol: Server Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 122
    Handshake Protocol: Server Hello
        Handshake Type: Server Hello (2)
        Length: 118
        Version: TLS 1.2 (0x0303)
        Random: 679cb032893ff093df50b2aad0ef633b8e1923abb79837f8...
        Session ID Length: 32
        Session ID: f8046d1805478fa3cc6658da57be9a03ba6807a79094af06...
        Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
        Compression Method: null (0)
        Extensions Length: 46
        Extension: key_share (len=36)
        Extension: supported_versions (len=2)
 TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
    Content Type: Change Cipher Spec (20)
    Version: TLS 1.2 (0x0303)
    Length: 1
    Change Cipher Spec Message

I understand I should find the certificate line and click right to export, but there is no certificate line. What am I doing wrong or not seeing?