x509 decode with tshark

Question

Hello. I have a great problem using tshark. A have a pcap file with SSL certificate. After pressing «Decode as -> Certificate » in Wireshark i see something like picture below. Every field have its real name.

alt text

But when im trying to open and decode this cert file in tshark – a see something like the next picture – fields are decoded correctly, but I don`t see field names – subjectPublicKey e.t.c! I start tshark with a command like this:

C:\ tshark.exe –r D:\cert.cap -d ber.syntax==,x509af -T pdml -V > res.txt

    <**field name=""** show="SEQUENCE" size="137" pos="34" value="310b3009060355040613023836310f300d0603550408130666756a69616e310f300d060355040713067869616d656e3110300e060355040a13077965616c696e6b31143012060355040b130b646576656c6f706d656e743110300e060355040313077965616c696e6b311e301c06092a864886f70d010901160f787978407965616c696e6b2e636f6d">
      <**field name=""** show="SET" size="15" pos="49" value="300d0603550408130666756a69616e">
        <**field name=""** show="SEQUENCE" size="13" pos="51" value="0603550408130666756a69616e">
          <field name="ber.unknown.OID" showname="OID: 2.5.4.8 (id-at-stateOrProvinceName)" size="3" pos="53" show="2.5.4.8" value="550408"/>
          <field name="ber.unknown.PrintableString" showname="PrintableString: fujian" size="6" pos="58" show="fujian" value="66756a69616e"/>
      <field name="" show="SET" size="15" pos="66" value="300d060355040713067869616d656e">
        <field name="" show="SEQUENCE" size="13" pos="68" value="060355040713067869616d656e">
          <field name="ber.unknown.OID" showname="OID: 2.5.4.7 (id-at-localityName)" size="3" pos="70" show="2.5.4.7" value="550407"/>

</pdml>

****Please, answer me, how can I decode x509 certificate in tshark and take all information about certificate in the output file. Please write example of a command for tshark for x509 certificate!

It is very important for me – I`ve been trying to find answer during 3 weeks – but results are still next to zero! With a great regards, Dmitriy.****

Answer 1

1

The best you can do in tshark is to run one of these commands and parse the output.

tshark -nr ssl.pcap -R "ssl.handshake.certificates" -T pdml
tshark -nr ssl.pcap -R "ssl.handshake.certificates" -V

The will contain all you are interested in. The 'fields' may differ in format and naming, but they are all there.

BTW: What is your tshark version (tshark -v). You may need to upgrade to get the full functionality!

UPDATE

after some conversation, I figured out that a certificate file (test.cer) was loaded into Wireshark.

I have a certificate - I post my real test certificate here (http://files.mail.ru/U9AG66)

well that is a certificate and not a pcap file. Wireshark is absolutely the wrong tool to decode that file.

What you need is openssl

openssl x509 -inform der -in test.cer -text

You can download it from openssl.org (windows) your by installing it with our standard linux package manager (apt-get, yum. etc.)

Regards
Kurt

answered 27 Dec '12, 02:41

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 27 Dec '12, 23:27

Thank you for your answe, Kurt! I use the latest stable version 1.8.4. I has tried your commands, but nothing new... I don't see any field names - only their values, as i see before.

(27 Dec '12, 03:47) pemolux

strange, I do see all of them. They are indeed 'encoded', but easy to parse.

My example: SSL/TLS on google

https://www.cloudshark.org/captures/3d893662f9fe

Output of tshark -nr google_ssl.pcap -R "ssl.handshake.certificates" -T pdml

http://pastebin.com/sfDfd7GK

Output of tshark -nr google_ssl.pcap -R "ssl.handshake.certificates" -V

http://pastebin.com/SWmscAX2

If you look at that output, what are you missing?

(27 Dec '12, 05:00) Kurt Knochner ♦

Thanks! I don`t see values "name" - first values of "field". For example - container

field name="x509af.subjectPublicKeyInfo" showname="subjectPublicKeyInfo" size="162" pos="264" show="" value=""

i see like a

field name="" showname="" size="162" pos="264" show="" value=""

More the over, when try to parse certificate with your command, tshark don`t print any results. When I try to parse with option -d ber.syntax==,x509af, as I wrote before - it works, but do not print field names.

Could you try to parse your cert with my code sample? C:\ tshark.exe –r D:\cert.cap -d ber.syntax==,x509af -T pdml -V > res.txt

It`s very interest for me - will my problem repeat on your computer?

With Great Regards, Dmitriy

(27 Dec '12, 05:27) pemolux

1

Thanks! I don`t see values "name" - first values of "field". For example - container

well, I do see them:

from: http://pastebin.com/sfDfd7GK

issuer: <field name="x509af.issuer" showname="issuer: rdnSequence (0)" size="72" pos="55" show="0"
validity: <field name="x509af.validity" showname="validity" size="32" pos="127" show="" value=""
not Before: <field name="x509af.notBefore" showname="notBefore: utcTime (0)" size="15" pos="129" show="0" value="

from: http://pastebin.com/SWmscAX2

issuer: issuer: rdnSequence (0)
validity:

                       validity
                            notBefore: utcTime (0)
                                utcTime: 04-05-13 00:00:00 (UTC)
                            notAfter: utcTime (0)
                                utcTime: 14-05-12 23:59:59 (UTC)

You just need to extract the data of those fields. The format is different with -V and -T pdml, but the content is the same.

So again, what is exactly missing in the output of tshark?

More the over, when try to parse certificate with your command, tshark don`t print any results.

some questions:

Did you check my sample files, or did you try to re-create the output with your capture file?
is your sample a HTTPS connection or something different?
Does it use the standard port 443 or a different port (you mentioned 'decode as')?
Can you post your capture file somewhere?

Could you try to parse your cert with my code sample? C:\ tshark.exe –r D:\cert.cap -d ber.syntax==,x509af -T pdml -V > res.txt

The output is the same as with my command, just a lot more, as you did not restrict it to 'ssl.handshake.certificate'.

(27 Dec '12, 06:36) Kurt Knochner ♦

First of all, take my regards for your help!

My real situation descrided below:

1) I have a certificate - I post my real test certificate here (http://files.mail.ru/U9AG66)

2) If I change it`s extension to *.pcap, then open this file with WireShark, then make "Decode as... -> Certificate" - I will have good result, something like the first picture in my first post.

Now I want take the same results by tshark for this test.pcap file.

3) I start tshark with my command: C:\Program Files\Wireshark\tshark.exe –r D:\cert.pcap -d ber.syntax==,x509af -T pdml -V > res.txt

Here is the value of res.txt - http://pastebin.com/EUVcpjXd

4) I start tshark with your command: C:\Program Files\Wireshark\tshark.exe -nr D:\cert.pcap -R "ssl.handshake.certificates" -T pdml > res.txt

Here is the value of res.txt - http://pastebin.com/qdFDaNGX

As you can see the first sample have not field names. The second sample don`t have any decoded values at all. This is the real situation and I want find design for THIS situation. I could try to parse it without field names, but it will became a big problem

(27 Dec '12, 11:29) pemolux

1) I have a certificate - I post my real test certificate here (http://files.mail.ru/U9AG66)

well that is a certificate and not a pcap file. Wireshark is absolutely the wrong tool to decode that file.

What you need is openssl

openssl x509 -inform der -in test.cer -text

You can download it from openssl.org (windows) your by installing it with our standard linux package manager (apt-get, yum. etc.)

Regards
Kurt

(27 Dec '12, 11:37) Kurt Knochner ♦

showing 5 of 6 show 1 more comments