Wireshark mailing list archives

Re: tshark reassembled TLSv1 record: Can it display certificate attributes for each certificate in a chain?

From: Guy Harris <guy () alum mit edu>
Date: Fri, 18 Dec 2009 15:40:29 -0800


On Dec 18, 2009, at 3:00 PM, Magnuson, Steve wrote:

Is there a way to tell tshark to display, for example, x509sat.printableString and x509af.utcTime attributes for each 
certificate in a certificate chain?


Not with "-T fields" and "-e".  See below.

This command will only show the attributes for the first certificate in a certificate chain in a reassembled TLSv1 
record:

tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e x509sat.printableString -e x509af.utcTime

In Wireshark, it shows the reassembled certificate chain and you can look at attributes for each certificate, but 
tshark only shows the attributes for the first certificate - unless I'm missing something.


"-T text" (or no "-T" flag, as "text" is the default) plus "-V" will show all the certificates, just as Wireshark will 
(not surprising, as they're showing the same thing - the packet details).

"-T fields" + "-e {field}" only shows the first instance of {field} that it finds.  Note that if it were to be changed 
to print more instances, the resulting output would have to be parseable regardless of how many instances of {field} 
are in a packet, even if different packets in the capture have different numbers of instances of the field.  (I.e., 
printing all instances, with tabs or other separators between them, is not the answer; that could be made to work if 
only one of the fields being displayed has multiple instances, as that could be made the last field in the line, but 
won't work if more than one of the fields could have multiple instances.  It might require some tag+value format, so 
that each field value in the output for a packet is tagged with the field name.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tshark reassembled TLSv1 record: Can it display certificate attributes for each certificate in a chain? Magnuson, Steve (Dec 18)
- Re: tshark reassembled TLSv1 record: Can it display certificate attributes for each certificate in a chain? Guy Harris (Dec 18)
  - Re: tshark reassembled TLSv1 record: Can it display certificate attributes for each certificate in a chain? Guy Harris (Dec 18)
    - Re: tshark reassembled TLSv1 record: Canit display certificate attributes for each certificate in a chain? Magnuson, Steve (Dec 18)
    - Re: tshark reassembled TLSv1 record: Canit display certificate attributes for each certificate in a chain? Guy Harris (Dec 18)